WordPress Security Tips

By Amit Malhotra
We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now

Keep Up to Date

The first and the most basic measure to secure your WordPress installation is to keep it updated to the latest release. This helps patch security vulnerabilities. The process of updating WordPress is easy and fast.

With the release of every new version of WordPress, the security bug fixing information becomes public. The WordPress dashboard is upgraded automatically or a manual upgrade can be achieved by overwriting the old files with newly downloaded files from the website. Obsolete older versions of WordPress do not have access to security patches. You don’t want to miss the advanced features and functionality.

The same is true for plugins. Whenever there is a new version of a plugin available, make sure you update. If you are not using any of the plugins installed, it’s better to remove them from the dashboard.

Customize Your Login

The default username for WordPress installation is always ‘admin’. If you don’t change the username, you are giving hackers a head start – they only have to crack your password to get access to your dashboard. You can use the following steps to make a new username:

  1. Login with your admin username first. When you are inside the WordPress dashboard, click on Users > Add New.
  2. Type in a new name and give it full administrative access.
  3. Log out and then log in with the newly created Administrative account.
  4. Make sure that all earlier posts and pages are given authorship to the new account. This is to make sure all your posts and pages don’t get deleted when you delete your Admin account and they are just transferred to another username.
  5. Delete the original admin account.

It is recommended to use a different username to make new posts and pages, with Author status. Use your Administrative account when you need to update WordPress and plugins.

The password you set needs to be a complex one, a mix of letters, numerals and symbols. Using a strong password is essential on all entry points to secure your website fully.

Hide the WordPress Version

Outdated versions of WordPress are easier to hack and knowing the version number presents an incentive for hackers. Even if you are using an older version of WordPress for some reason, you don’t have to advertise that fact.

The WordPress version is by default displayed on the blog and is visible to the public eye. There are plugins available which remove the WordPress version from your source code. One such plugin is Sucuri Security, another is Secure WordPress, both available in the WordPress plugins repository. Keep the hackers guessing!

If you prefer to keep the use of plugins to a minimum, you can include a line of code in the functions.php file to prevent the WordPress version from getting displayed:

/* Remove WordPress version number */
function nm_remove_wp_version() {
return '';
add_filter('the_generator', 'nm_remove_wp_version');

The above code ensures complete removal of the WordPress version number from everywhere, be it your header file or RSS Feeds.

Restrict File Permissions

File permissions should be restricted to prevent breach of security of your site. The file permissions should be set to the bare minimum.

Setting the CHMOD value to 755 for folders means only the owner has write permissions and others will have read and execute permissions. Setting the CHMOD value to 644 for files means the owners have the read and write permissions and others can only read the files.


You should keep backups of all important files. Keeping a backup of WordPress data and files can play a crucial role in times of emergency. Backups can put an end to a lot of your troubles and set your mind at peace.

WP-DB Manager is a good option for backing up the whole of a WordPress website. Online backup options are also a good choice. Maintaining regular backup would ensure that your website is restored within the minimum possible time just in case it gets compromised. WordPress Database Backup is another plugin and can be used as a good option. It allows you to save the database to the server or download it on to your computer. You can also email the backup on your chosen email id. You can schedule the backup hourly, daily or weekly.

Restrict Access to Your Plugins

You should definitely restrict or simply deny access to your WordPress plugins directory. A visit to www.your-domain.com/wp-content/plugins/ reveals all the plugins that have been used in the website. These plugins might contain vulnerabilities, which might put the site’s security at risk and attract hackers.

To deny access to the directories, the easiest way is to use a .htaccess file or just upload a blank index.html file to that directory. If the index.php or index.html files are not present in the particular directory, you must also add the following line at the start in your .htaccess file in the root folder:

Options –Indexes

This will prevent the public accessing your files in the directories.

Change Database Table Prefixes

When you first install WordPress using the default values and options, WordPress tables use table prefixes like Wp_. As hackers can exploit this feature, it is recommended to change the default table prefix Wp_ to something else. To change the database table prefixes after install, you can use WP Secure Scan plugin. If you use another plugin named Change DB Prefix plugin, it can rename table prefix to another string.

Change Default Secret Keys

When you first install WordPress, there are four secret keys written in your wp-config.php file. Go here and copy all the six keys and use them to replace the four keys present in wp-config.php file. These are the random keys generated by WordPress and are changed every time you refresh the page. This helps making your passwords more secure and if anybody is logged into WordPress at that time, they will be logged out of the dashboard immediately as the cookies become invalid.

Secure Your Login Page

Your WordPress login page is accessible to the world and you must secure it so that nobody could gain access to the installation. Error messages on login pages can give clues to hackers.

To remove error messages on the login page, add the following line of code in your theme functions.php file:

add_filter('login_errors',create_function('$a', "return null;"));

This will remove the error message displayed above the username and password box.

You can use plugins such as Google Authenticator and Login Dongle for an extra layer of security. Google Authenticator is a great plugin that adds a two-step verification to your WordPress blog, as the name suggests – similar to Google Account security. Enter a password and a code sent your mobile phone.  Login Dongle plugin generates a bookmarklet with a secret question.

Secure Your Device

Make sure your workstation, PC, mobile, tablet or alternate device is fully secure and automatically updated. The antivirus software and the operating systems should also be updated to the latest release. Set secure passwords for all authentication vectors. These passwords should be complex and should also be changed frequently.

The PCs and servers should be equipped with the latest and the best anti-virus software and be secure from all malware threats. This should include periodic cleaning of harmful bugs. Firewalls should be installed at every level: operating system level, router level and even Internet service protocol level. This should ensure that all the PCs and web servers of your work station are secure.

Don’t Share Your Login

Just like any other secured networks or accounts, you should be careful not to share the username or password with anybody you don’t fully trust. Even in the worst case scenario where you have hired a webmaster to manage your website, ensure you do not share your username or password. You can create separate accounts for them with customized permissions.

Secure Your Content

While uploading content to the website, ensure that the content itself is authentic and is downloaded from safe/reliable sources. Even when you are uploading a script, you need to be cautious as there can be malwares intentionally designed to harm your website.

This is not intended to be an exhaustive list of all possible ways of securing your WordPress installation, but it does give you a handy list of WordPress security issues to consider and ways of addressing them, whether by the use of purpose-specific plugins or simple actions you can take.

Feel free to add more methods in the comments below.

We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now
  • A whole bunch of these suggestions are contradictory, not fully explained, or plain wrong.

    Hide The WordPress Version – This is not useful. For starters, most users never delete the readme.html file, which contains the version. If they do delete that, there are other ways. For example, nearly every release of WordPress contains a new version of jQuery, an attacker can easily match that against the WordPress version.

    Restrict File Permissions – This is partially useful, but can cause serious problems. Some hosts have restrictions on whether a site will work, based on the file permissions of the site PHP files. Also, if the files are not owned by the correct user, it will prevent WordPress from being able to upgrade itself, which will discourage people from your first point, Keep Up to Date.

    Restrict Access to Your Plugins – This is not useful. If a plugin has a known exploit, there are many different ways to check for that plugin: the HTML it outputs, the plugin readme.txt file, or simply trying the exploit.

    Change Database Table Prefixes – This is not useful. Any attacker that has gained access to your DB will almost certainly have access to your wp-config.php file, where the database prefix is stored.

    Secure Your Login Page – Removing error messages may appear useful, but is not. The best this can prevent is telling an attacker if a username exists or not. If you have a strong password, it doesn’t matter if they know your username. There are also other ways to determine if a user exists or not.

    Apart from these problems, the rest are good recommendations.

    • Changing table prefixes helps prevent SQL injection attacks which a cracker can attempt regardless of direct access to the database or configuration files.

      • You’re right, it’s partially useful for that – it would block an SQL injection flaw that writes to tables that make use of the table_prefix (core tables and tables belonging to well written plugins). I suspect this is a serious edge case, though – not worth the hassle of changing your table_prefix.

      • SQL injections are not an edge case — they’re one of the most common forms of attack since they require no direct access to the database or configuration files. Admittedly, I suspect the WordPress core is immune, but that’s not necessarily true for plugins.

    • I welcome your comments Gary! The article may appear not fully explained but it’s good if the suggestions above are implemented. I myself have implemented much of these suggestions on a few of my sites and would like to share this with others. For restricting file permissions, much have been said here – http://codex.wordpress.org/Hardening_WordPress and this could be implemented if the hosts allow. For Change Database Table Prefixes, it’s better if this is done at the time of installation of wordpress. Obviously, there are many other ways that a hacker may attempt to get inside, but why not secure Your Login Page! No system is crack proof of course, but it’s advisable to do what you can.

  • tnq for article

  • I have not only bookmarked this page but also noted down all the points in my diary so that these will come handy each time I create a new wordpress site. I want to thank you for having created such an important list of security precautions for wordpress users. Hope you will update this space in future to make this list more exhaustive.

  • Interesting article. I’ll give it a try.

    • Amit Malhotra

      Good to know you find it interesting. Pls Go ahead.

  • John Larry Evangelista

    Nice article. Thanks!

    • Amit Malhotra

      You are welcome John!

  • Thanks Craig for the useful advices. I also find Gary’s comment interesting. I myself do change the table prefixes for WordPress installations but want to mention that I only do it on installation. While changing it later on is possible (eg. with a plugin like “Better WP Security”) I wouldn’t recommend it.
    I also like the “Limit Login Attempts” plugin which allows you to restrict login attempts and automatically block login if a configurable amount of tries was reached and then also informs the administrator by email.

  • Brilliant post. It’s always good to hear different opinions on how to best secure websites.

    Thanks for posting!


  • I do about half of this list at install and then after install I use the Better WP Security plug-in (which is very comprehensive). I’ve found that method works best for me.

    • Yes, Better WP Security plug-in is a good security plugin. There are plugins for the simple tasks that could be achieved through a few lines of code. We should not use plugins for some of the simplest tasks. So, it’s good if some of the tasks can be done by adding a few lines of code. What method works best for you is advisable.

  • With global Hacking and Spam affecting everyday life more and more, isn’t it time we got past the two field login? Why can’t it be three? Three fields right has got to take longer to crack than two. The third could be the user’s real name or id number!

    Why can’t WordPress ask us for a username at setup – like everyone else does? And filter it for really obvious/simple ones like “admin”.

    Captures are an improvement too – maybe WordPress don’t like them because of accessibility issues.

    I think the software vendors have to take a lead but also end-users taking some responsibility for varying and complicating their login credentials.

    Having said that as a web developer I don’t know what I would do without Firefox’s password manager… I must have at least a 100+ accounts which I have a password “formula” for – updating them is a nightmare and I do forget many times with this many passwords.

  • Paul


    where in the functions.php file should I insert the code to remove the version number?. I initially added it at the end but was getting weird error messages.


    • Add this code just after the opening php tag.

      • Paul

        Thank you Amit, that did the trick!

  • One more for the mix. How about two factor authentication when logging into your account?

    Handy new wordpress plugin:

    • Dan

      The trouble with most 2FA is that they make it so much harder for people to use.

      We have decided to do security easy. One of the by-products is a plugin for strong authentication. It prefers usability to security so you can either login with a password or with one-time code.

      If you’re on a secure network, you may want to use just your password but open your smart phone when connected through an insecure WiFi (cafe, train, …).

      We tested it with a few smart phone apps: Google Authenticator, Pledge, DS3 OATH, AWToken so you don’t have to rely on Google completely. (http://wordpress.org/extend/plugins/s-crib-otp-authentication/ ).