How To Secure Your WordPress Install

This article can be called the Definitive Guide to WordPress Security. Following this tips will help keep you and your visitors secure.

While we have done these for you, running secure, stable versions of the web servers and software on those servers that host your websites. Putting in place an industrial-grade server-level firewall on all systems. Have secured our servers and datacenters with only the datacenter teams having monitored access. Implemented SFTP for file transfers.

And constantly backing your data and also giving you the ability to do the same via our control panel.

The following is something we really think you need to do.

  • Ensure that your MySQL installation is as secure as possible.
  • Create a unique database for each blog installation, and make sure your database table DOES NOT begin with wp_.
  • Backup your database and other files as often as possible, especially right before you make a change (there are plenty of options for this, such as local system, CodeGuard and VaultPress).
  • And, of course, making sure your passwords are both complex and not used elsewhere.


Then there is the advanced part of the hardening your WordPress core. Before you do that, please Hardening WordPress at the Codex to get a brief overview of what you will be doing below.

Again, this is an advanced tutorial and you should never muck around with your wp-config or .htaccess files unless you know exactly what you are doing. The responsibility is entirely yours; you are warned.



WordPress auto-creates a section in the .htaccess file. Don't put anything inside of the WordPress section of the .htaccess, as it will be overwritten. Some things will need to go before the WordPress .htaccess section, and some things after, to avoid breaking things. If you don't know what should go where, you probably shouldn't be editing your .htaccess file.

OK, buckle up ... here we go.

This first bit of code helps to prevent errors on some Apache servers, and activates the rewrite engine (which many of these commands require to function):


## Include this at the start of your .htaccess file ## 

Options +FollowSymlinks RewriteEngine On


This next bit turns off the server signature. This is a "security by obscurity" trick, as the less info a hacker has about your system, the harder it is to get in. The more they know, the easier it is to go out and hunt for known exploits:


## Disable the Server Signature ## 

ServerSignature Off


Sometimes spammers will append their own crappy query strings to the end of a URL, attempting to do all kinds of nasty things, and this next bit of code can negate it by 301 redirecting certain query strings back to the canonical URL.

Just edit the enter|query|strings|here bit to include the query strings you're having issues with, separated by pipes (a pipe is a separator in RegEx). This next bit of code also has uses beyond blocking spammers, and can sort out issues with ?replytocom and other common junk query strings:


## Remove Spammy Query Strings ## 
RewriteCond %{QUERY_STRING} enter|separated|query|strings|here [NC] 
RewriteRule .* http://www.%{HTTP_HOST}/$1? [R=301,L] 


While not hacker-specific (though it certainly could be), this next bit of code will prevent bots with no user agent from hitting your site. Just change out with your actual URL before placing this in your .htaccess:

## Protect from spam bots ## 
RewriteCond %{REQUEST_URI} .wp-comments-post\.php* 
RewriteCond %{HTTP_REFERER} !* [OR] 
RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L] 


A common hacking tactic is a SQL injection, and this bit of code can block the vast majority of attempts:



 ## SQL Injection Block ## 
<IfModule mod_rewrite.c> 
RewriteRule ^(.*)$ - [F,L] 
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] 
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] 
RewriteCond %{QUERY_STRING} tag\= [NC,OR] 
RewriteCond %{QUERY_STRING} ftp\: [NC,OR] 
RewriteCond %{QUERY_STRING} http\: [NC,OR] 
RewriteCond %{QUERY_STRING} https\: [NC,OR] 
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] 
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||ê|"|;|\?|\*|=$).* [NC,OR] 
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR] 
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] 
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR] 
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] 
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC] 
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ 
RewriteRule ^(.*)$ - [F,L] </IfModule>

Now, there are plugins that can limit the number of login attempts from any one IP address, but that doesn't prevent hackers from using large blocks of IPs to brute-force your site (a la public proxy lists). The following bit of code will only allows the login pages to be reached from IP addresses you specify, and blocks access to those pages from all other IPs.

Just adjust the allow from lines to reflect your actual IP addresses. You can get your IP addresses by going to Googling "What is my IP". wp-login.php is default but if your login is not, change the login filenames to match.

Tip: You can go to ProxyBonanza and pay $10/mo for one exclusive proxy IP of your own, and then allow that IP and use that IP whenever you want to access your sites.

(ProxyBonanza has plugins for Firefox and Chrome, which make this step really easy.) Just swap out the fake IPs below with your actual IPs. If your IP changes, you can always go in and fix this via FTP later.

 ## Restrict WordPress Login Pages to Your Own IPs 
## <Files wp-login.php> 
order deny,allow 
deny from all allow from 123.456.7.8 
allow from 123.456.7.8  
<Files login> order deny,
allow deny from all 
allow from 123.456.7.8 allow from 123.456.7.8 

There are a number of files that nobody but you should ever be accessing, and this bit of code (preferably at the top) will block them from being accessed via a browser:

 ## Block Sensitive Files 
## Options All -Indexes 
<files .htaccess> 
Order allow,deny 
Deny from all 
<files readme.html> 
Order allow,deny 
Deny from all 
<files license.txt> 
Order allow,deny 
Deny from all 
<files install.php> 
Order allow,deny 
Deny from all 

<files wp-config.php> 
Order allow,deny 
Deny from all 
<files error_log> 
Order allow,deny 
Deny from all 
<files fantastico_fileslist.txt> 
Order allow,deny 
Deny from all 
<files fantversion.php> 
Order allow,deny 
Deny from all 

If you find your site being hit repeatedly with attack attempts from certain IP addresses, you can manually block certain IPs with the following bit of code. Just edit the deny from bit to include the offending IP, with one IP per line as follows:

## Malicious IP Blocking ## 
order allow,deny 
deny from 
deny from 
allow from all


If you have people hitting you really often from the same IP or IP block, you can redirect that IP/IP block to a nice rickroll video (just change the IP below to reflect the one that's hitting you):

 ## Redirect Recurring Spammer IPs to a Rickroll Video ## 
RewriteCond %{REMOTE_ADDR} ^192\.168\.1\.1$ 
RewriteRule .* [R=302,L]

If you have certain websites that are hitting you with referral traffic you don't want (it can happen for various reasons), you can block those referring domains with this code:

 ## Block Certain Referring Domains ## 
RewriteCond %{HTTP_REFERER} digg\.com [NC] 
RewriteRule .* – [F] 

You can also use your .htaccess file to secure wp-includes (this can cause real issues, especially with Multisite, so I'll have you go here for the specifics). You can also do some other pretty advanced things, like blocking certain countries and browser languages, if you so choose.

With all of that in place, your .htaccess file is just about as hardened as it can get. An .htaccess file can exist for each directory on a site, and is applied to everything in and under that directory.  For further reading on these and other similar points, check out these five links.


The last step is to lock down your file permissions so that only those who should have access to certain files have that access.

You can read how to change file permissions here (be careful with this one too, as it can break things, particularly plugins.) This is something you should test very carefully as you implement it, ideally in a sandbox or dev environment.

And that's it for WordPress server-level security (not really — you could fill a book with this stuff — but this should be sufficient for your needs). Next up, WordPress itself!


Your WordPress Installation

Once you have your hosting and server security sorted out, it's time to get WordPress installed, along with the necessary security plugins.

Even if you already have an existing WordPress site, don't skip this section!

You'll want to download the WordPress install files directly from, and go through the install process via secure FTP (SFTP).

We offer 3 great 1-Click WP installers (Fantastico, Softaculous and Installatron) but please as you use these, make sure you pick secure passwords (outlined in the next section), and don't use the same password for more than one site/thing (separate passwords for your database, FTP, WordPress admin, etc.)

With WordPress installed, the next step logically will be to pick a theme — and not just any theme will do. As any black-hat SEO knows, themes and plugins have long been a great way to get links, albeit in a shady and unethical way.

Because a lot of potentially dangerous things can be hidden inside of themes, it's a good idea to use or buy a secure, clean theme.

The themes that come with by default are pretty safe and if you didn't get a FREE Premium theme when you signed up (depends on the package you choose), go to these links to get good ones:

Adding New Themes And Where To Get The Best Themes.

If you already have a theme installed, you might want to run a security scan, or have a security-minded developer look through the theme code. Ditto for any plugins you might have.

After you've selected your theme, the next step is to start picking plugins. When it comes to plugins, you need to be just as careful as you were with picking a theme. Even popular plugins can contain vulnerabilities, and developers can sometimes be slow to fix them (or perhaps put them there themselves). For that reason, it is recommended using as few plugins as possible to get the job done. That said, from a security perspective, here are some recommended plugins:

  • Better WP Security Better WP Security: Can overlap with other plugins, so be careful. Free.

  • Limit Login Attempts Limit Login Attempts: If you install WordPress with 1-Click using our Installatron, this is already installed by default. You can see it on the WP-Admin > Plugins. Just click to activate. Free.

  • Akismet - Great way to filter out a lot of crap before it ever touches your site. If your site is easy to spam, it might also be easy to hack, so make it a hardened target on all fronts. You will need to get the licnese. Paid.

  • Sucuri Security - When you pay for this service, you get a plugin to install on your site that helps with the monitoring and hardening process. It has overlap with other plugins though, such as Limit Login Attempts and Better WP Security, so you don't want to use all of them at once. Paid.

  • CodeGuard - Great backup service that lets you easily roll back if you ever do get hacked. Also, people don't back things up nearly as often as they should, so doing it automatically is handy. Paid.

  • CloudFlare You can intsall CloudFlare via our control panel. It is a CDN that will make your site faster and also has in-built great security features. Free and Pro versions. See CloudFlare Knowledgebase

  • Duo Two-Factor Authentication This enables you to aasily add Duo Security two-factor authentication to your WordPress website. Enable two-factor authentication for your admins and/or users. See the step-by-step guide at Duo Security Documentation.

  • Google Authenticator - Enables two-factor authentication on WordPress, which is awesome. I use two-factor wherever it's offered, because it rocks. Free.

  • Stealth Login Page - You can't crack what you can't find. This plugin hides your login page without needing to edit .htaccess files. Free.

  • WordPress SEO by Yoast - Not only does this have great SEO benefits, but it allows you to easily edit your .htaccess file from within the WordPress admin, which is very handy. Free.


As you build out your site, you should also pay very close attention to what is and isn't reachable by crawlers, and how your site handles things like login info, passwords, lost passwords/password resets, security questions, etc. There's an entire sub-set of hacking called Google hacking, dedicated to surfacing information Google has found and indexed that it probably shouldn't have (great article here). Making effective use of your robots.txt file to block things that should be blocked is highly recommended.

Remember, nothing is unhackable, so the goal is simply to make your site more way trouble than it's worth to the majority of hackers.


Security From Your Personal End

As any half-decent hacker knows, the human element of security is usually the weakest link in the chain. The most security-conscious web admin or host can be foiled by a common password (Love, Sex, Secret, God, Hack the Planet!).

The human brain likes routines, patterns, and comfort zones; and hackers exploit that with glee! If you want a fascinating yet frightening read on this topic, check out Kevin Mitnick's book The Art of Deception.

Here are seven personal best practices for locking down the human element:

When you use a WiFi network, secured or unsecured, anyone else on that network can get access to your traffic (if all your traffic is encrypted, you're MUCH safer, which is why you should use a secure VPN on any shared network, even if it's a "secure" shared network). If you have WiFi at home or work, make the password a strong one, use WPA2, and set your router to NOT display the SSID (this is a "security by obscurity" tactic). 

  • Get a firewall. A good firewall is an excellent defensive tool. In a perfect world, I'd recommend having both a software and a hardware firewall, but that may not be feasible for everyone. At the very least, you need a software firewall (Comodo, ZoneAlarm, etc.). It can be a bit intrusive, depending on your settings, but it's easy to customize and does a very good job. You should have a firewall on every desktop/laptop/server.
  • Get an antivirus program. Viruses and malware are a dime a dozen, and the chances are REALLY good that you've got at least one on your machine already. If a hacker has access to your computer, no amount of security anywhere else can protect your WordPress installation (not to mention your email, bank account, etc.) I've tried quite a few over the years, and I'm partial to Avast. It's one of the least resource-intensive AV programs on the market (won't bog down your machine), but it's also extremely thorough (there's a free version, but I pay for the full suite for a variety of reasons).
  • Keep your hardware physically secure. If someone can get to your machine, it's a cinch to hook up a keylogger. If you don't password protect your machine, there are all kinds of other quick and dirty things they could do as well. If you use a desktop in particular, and it's in a common area at work, periodically check your USB ports and all cords running into the machine for anything unusual. It's uncommon, but it happens. Seriously, you should see the type of security Google has at its server farms!
  • Use really good passwords, and don't ever reuse passwords on multiple sites. Also don't write down, print, or store your passwords in plain text on your computer. Just don't. See Best Tools And Apps On The Net For Password Management
  • Operating system passwords are notoriously easy to crack with rainbow tables, so make sure your OS password is long (at least 15 characters) and complex (uppercase and lowercase letters, numbers and symbols, avoiding common substitutions like @ for A or 8 for B, etc.). Here's a cool articlethat explains why complex passwords make things SO much harder for hackers.
  • Thanks to some pretty serious security blunders over the years, it's easy to find massive lists of passwords used on pretty major sites (RockYou is a great example, with 32 million passwords leaked). With a list like that, you can just pick a WordPress site and try random passwords at will until you get a hit. While far from efficient, script kiddies in particular love this brute-force approach.
  • Protect your email accounts with two-factor authentication (and then protect your phone too). If a hacker can't get into your site via the password, their next trick is usually trying to crack your email account so they can just do a reset. If your email provider offers two-factor authentication, USE IT.      Google 2-Step Verification | Two-step verification: FAQ - Microsoft Windows
  • If you do this, make sure you lock your phone (use a real password, not the 4 digit variety) and try really hard not to lose it, since that is now the key to your accounts (and, in a perfect world, don't put that phone number up online, just to be safe. If a website ever needs a phone number, get a Google Voice number that you use just for that.) You should probably also set your phone to wipe after a certain number of failed tries, and configure a remote wipe option as well, if possible, as your phone is now the key to your accounts. Do NOT do this when setting up an account with us for authentication process.
  • If your account provider asks you for security questions, use a mnemonic to come up with a totally separate answer (for example: for the question "What was your high school mascot?". This will effectively neutralize attempts to mine your social profiles for data hackers can use to guess your security questions.

Learn to recognize and avoid phishing attacks.

How to Avoid Phishing Scams

  • Be suspicious of any email with urgent requests for personal financial information unless the email is digitally signed, you can’t be sure it wasn’t forged or ‘spoofed’ phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately they typically ask for information such as user names, passwords, credit card numbers, social security numbers, date of birth, etc. Phisher emails are typically NOT personalized, but they can be.
  • Valid messages from your bank or e-commerce company generally are personalized, but always call to check if you are unsure.
  • Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don’t know the sender or user’s handle instead, call the company on the telephone, or log onto the website directly by typing in the Web address in your browser.
  • Avoid filling out forms in email messages that ask for personal financial information you should only communicate information such as credit card numbers or account information via a secure website or the telephone.
  • Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your Web browser.
  • Phishers are now able to ‘spoof,’ or forge BOTH the “https://” that you normally see when you’re on a secure Web server AND a legitimate-looking address. You may even see both in the link of a scam email. Again, make it a habit to enter the address of any banking, shopping, auction, or financial transaction website yourself and not depend on displayed links.
  • Phishers may also forge the yellow lock you would normally see near the bottom of your screen on a secure site. The lock has usually been considered as another indicator that you are on a ‘safe’ site. The lock, when double-clicked, displays the security certificate for the site. If you get any warnings displayed that the address of the site you have displayed does NOT match the certificate, do not continue.
  • Remember not all scam sites will try to show the “https://” and/or the security lock. Get in the habit of looking at the address line, too. Were you directed to PayPal? Does the address line display something different like “hxxp://” Be aware of where you are going.

Lastly ... Pay Attention. Be Vigilant

When it comes to WordPress security, you can't just set it and forget it. If you put all of this in place, and then fail to monitor and update and change things as time goes by, you'll be in just as bad of shape as if you'd never done any of this to begin with.

To make sure that all of your hard work doesn't go to waste, I recommend a seven-step checklist to maintain constant vigilance for your WordPress sites:

  • Keep WordPress updated. Luckily, our system takes care of this for you if you use our 1-Click installers. However, if you install manually, pay attention at the top og dashboard for new updates..
  • Keep your plugins updated. Plugins are one of the most vulnerable parts of WordPress, not only to external hackers, but to malicious or greedy programmers. While we already covered only using reputable plugins, also make sure you keep these plugins updated, just in case a vulnerability is being addressed in the update. Again, you might want to have your dev team do this, as updates can sometimes break things.
  • Monitor your server log files. This might be overkill for most folks, unless you've spotted something suspicious. Your server logs will give you the details of everything that has hit your site, human or bot, and when and from what IP address. You can find some awesome stuff in here, so keep an eye on it from time to time. (AWStats is a good free tool for this.) whcih you can see on your control panel.
  • Monitor WP access. You can use a plugin like Simple Login Log to monitor the details of logins to your site. DO THIS.
  • Monitor for file changes. A plugin like CodeGuard will send you emails whenever your WordPress files are changed. This can be an early-warning system for a hack, and is worth the investment. It also allows you to roll back changes if needed.
  • Change your password periodically. I'd recommend every 3-6 months, but once per year is probably sufficient if you're using a sufficiently complex and unique password.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.