🤯 New: Coding Assessments Practice your skills on real-world programming challenges

More Tips to Further Secure WordPress

Elio Qoshi

WordPress has often been seen as the unofficial scapegoat to blame various security breaches on. Like many other popular web applications, WordPress is an attractive target for attack. Obviously, the security in WordPress, as with any application, needs to be put into context. Luckily, WordPress benefits from a wide variety of security configuration options and third party plugins to help satisfy those who are looking to increase their overall security.

In this article, I’m going to add to Tim Carr’s 10 Tips to Secure WordPress with even more ways you can help secure your site, starting prior to the WordPress installation.

WordPress Security

Clean Your Computer

Before starting the WordPress installation, be sure that your computer is malware/virus free. It might sound obvious, but it’s critical that your system is free of malware and in a trusted state.

If your computer is infected, every security related measure of yours could be futile. It is suggested to protect your systems with antivirus, to keep all the malware and viruses at bay.

Install WordPress in Another Directory

The WordPress core files can happily exist in another location, other than the root directory. This technique is often debated, so your mileage may vary. Scanners and attackers can still find out where WordPress lives, however we thought it’s worth mentioning since the topic does come up often.

Even if this doesn’t directly provide additional security, it will definitely help keep your server organized which is also very important.

For example, if your site has the domain www.example.com, it would be preferable to install WordPress in something like www.example.com/directory.

The next step is to copy the index.php and .htaccess files to the root directory. If the .htaccess file is invisible, you have to make hidden files visible in your FTP/SFTP/SCP software or in your cPanel File Manager.

Don’t worry about the error you’ll now get if you browse to your site. Go to index.php and modify following:


Now your login URL will be www.example.com/directoy/wp-admin.

After installation, you should go to your WordPress settings in the admin panel and change the WordPress URL, so that it points at www.example.com/directory and blog URL www.example.com.

Change the Database Prefix

By default, WordPress creates the database with tables prefixed in wp_. The thinking is that spammers and hackers that are using automated tools know your database structure. Having a default database prefix makes their life much easier. This is another topic of debate, however as with installing WordPress in another directory, it’s a question that comes up frequently.

During wp-config.php configuration in the installation process, change the table prefix to something random and unique like wp_Df3R_.

To organize your tables in a more efficient way, start the prefix with wp_ and end it with _. You may use numbers, letters, and underscores.

Secure wp-config.php

As the most important file in WordPress, it stores valuable information like database, username, password and authentication keys, nobody should have direct access to wp-config.php.

As mentioned above, we can store wp-config.php outside of the root folder. Now we’ll add an additional layer of security to it.

To deny access to this file, you should add the code below at the top of the .htaccess file:

<files wp-config.php>
    order allow,deny
    deny from all

This file shouldn’t be modifiable or writable by others. To prevent other users from reading it, the file permission should be 440 or 400, however you should consult your host to check this.

Remove the WordPress Version Number

Sometimes leaving the WordPress version number can be a security risk, especially if WordPress isn’t updated regularly. Of course, we strongly recommend regular updates, as with performing other regular WordPress maintenance tasks.

The code that generates the WordPress version is in header.php:

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

To remove the WordPress version number, you should add the following line to your active theme’s functions.php file:

<?php remove_action('wp_head', 'wp_generator'); ?>

Use Secret Keys

Using Secret Keys plays a role in WordPress security. These security keys help encrypt the data stored in the cookies WordPress uses. Without knowing these keys, attackers will have a harder time entering your WordPress site.

WordPress creates these for you at the time of installation, however these values might not exist with older sites or if the wp-config.php file has been manually replaced.

By default Secret Keys are listed listed in wp-config.php, like the following:

define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

If you ever need to regenerate these keys, you can visit the official generator provided by WordPress.org at https://api.wordpress.org/secret-key/1.1/salt/.

If an attacker has the security keys, they can regain access to the site even if the passwords have been changed. So if your site is compromised, don’t forget to change your secret keys – not just your passwords!

Disable Directory Browsing

WordPress allows users to browse the web directories, if they know where to look. Obviously, this is something we want to avoid. Directory browsing can be used by attackers to find your most vulnerable files. It’s not uncommon for developers or webmasters to leave backup files or archives in odd places.

Disable Directory Browsing

Ensuring that no one can view the contents of directories can be done by adding a single line in .htaccess

Options –Indexes

Secure Multiple Installations

If you have more than one instance of WordPress on the same host, you should use different user credentials for each database. The database username and password should be unique in the wp-config.php files for each of your websites. This will ensure the isolation of every single site, in case one of them gets hacked.

It’s a simple tip, but reusing the same credentials is something people do all the time.

WordPress Security Plugins

If you don’t feel comfortable making the above mentioned changes, there are several plugins that help you maintain the security of your WordPress installation, or even to help you recover quickly if you fall victim to a malicious attack.

Here’s a list of the most popular security plugins:

Charles Costa has previously explored the topic of WordPress Security Plugins, that is well worth reading.


With a large percentage of websites being powered by WordPress it’s no big surprise WordPress security is a popular topic. If you’re serious about your website and your website security, you should definitely explore your options and take the extra time to lock your site down.

To recap, we’ve previously covered 10 Tips to Secure WordPress, in this article, we covered even more tips to help you better manage your website security. If you’re keen about learning more, I’d also recommend reading the official WordPress.org documentation “Hardening WordPress“.

Please let us know in the comments below if you have any of your own extra tips for increasing WordPress security.