WordPress Security Tips

Share this article

Keep Up to Date

The first and the most basic measure to secure your WordPress installation is to keep it updated to the latest release. This helps patch security vulnerabilities. The process of updating WordPress is easy and fast.

With the release of every new version of WordPress, the security bug fixing information becomes public. The WordPress dashboard is upgraded automatically or a manual upgrade can be achieved by overwriting the old files with newly downloaded files from the website. Obsolete older versions of WordPress do not have access to security patches. You don’t want to miss the advanced features and functionality.

The same is true for plugins. Whenever there is a new version of a plugin available, make sure you update. If you are not using any of the plugins installed, it’s better to remove them from the dashboard.

Customize Your Login

The default username for WordPress installation is always ‘admin’. If you don’t change the username, you are giving hackers a head start – they only have to crack your password to get access to your dashboard. You can use the following steps to make a new username:

  1. Login with your admin username first. When you are inside the WordPress dashboard, click on Users > Add New.
  2. Type in a new name and give it full administrative access.
  3. Log out and then log in with the newly created Administrative account.
  4. Make sure that all earlier posts and pages are given authorship to the new account. This is to make sure all your posts and pages don’t get deleted when you delete your Admin account and they are just transferred to another username.
  5. Delete the original admin account.

It is recommended to use a different username to make new posts and pages, with Author status. Use your Administrative account when you need to update WordPress and plugins.

The password you set needs to be a complex one, a mix of letters, numerals and symbols. Using a strong password is essential on all entry points to secure your website fully.

Hide the WordPress Version

Outdated versions of WordPress are easier to hack and knowing the version number presents an incentive for hackers. Even if you are using an older version of WordPress for some reason, you don’t have to advertise that fact.

The WordPress version is by default displayed on the blog and is visible to the public eye. There are plugins available which remove the WordPress version from your source code. One such plugin is Sucuri Security, another is Secure WordPress, both available in the WordPress plugins repository. Keep the hackers guessing!

If you prefer to keep the use of plugins to a minimum, you can include a line of code in the functions.php file to prevent the WordPress version from getting displayed:

/* Remove WordPress version number */
function nm_remove_wp_version() {
return '';
add_filter('the_generator', 'nm_remove_wp_version');

The above code ensures complete removal of the WordPress version number from everywhere, be it your header file or RSS Feeds.

Restrict File Permissions

File permissions should be restricted to prevent breach of security of your site. The file permissions should be set to the bare minimum.

Setting the CHMOD value to 755 for folders means only the owner has write permissions and others will have read and execute permissions. Setting the CHMOD value to 644 for files means the owners have the read and write permissions and others can only read the files.


You should keep backups of all important files. Keeping a backup of WordPress data and files can play a crucial role in times of emergency. Backups can put an end to a lot of your troubles and set your mind at peace.

WP-DB Manager is a good option for backing up the whole of a WordPress website. Online backup options are also a good choice. Maintaining regular backup would ensure that your website is restored within the minimum possible time just in case it gets compromised. WordPress Database Backup is another plugin and can be used as a good option. It allows you to save the database to the server or download it on to your computer. You can also email the backup on your chosen email id. You can schedule the backup hourly, daily or weekly.

Restrict Access to Your Plugins

You should definitely restrict or simply deny access to your WordPress plugins directory. A visit to www.your-domain.com/wp-content/plugins/ reveals all the plugins that have been used in the website. These plugins might contain vulnerabilities, which might put the site’s security at risk and attract hackers.

To deny access to the directories, the easiest way is to use a .htaccess file or just upload a blank index.html file to that directory. If the index.php or index.html files are not present in the particular directory, you must also add the following line at the start in your .htaccess file in the root folder:

Options –Indexes

This will prevent the public accessing your files in the directories.

Change Database Table Prefixes

When you first install WordPress using the default values and options, WordPress tables use table prefixes like Wp_. As hackers can exploit this feature, it is recommended to change the default table prefix Wp_ to something else. To change the database table prefixes after install, you can use WP Secure Scan plugin. If you use another plugin named Change DB Prefix plugin, it can rename table prefix to another string.

Change Default Secret Keys

When you first install WordPress, there are four secret keys written in your wp-config.php file. Go here and copy all the six keys and use them to replace the four keys present in wp-config.php file. These are the random keys generated by WordPress and are changed every time you refresh the page. This helps making your passwords more secure and if anybody is logged into WordPress at that time, they will be logged out of the dashboard immediately as the cookies become invalid.

Secure Your Login Page

Your WordPress login page is accessible to the world and you must secure it so that nobody could gain access to the installation. Error messages on login pages can give clues to hackers.

To remove error messages on the login page, add the following line of code in your theme functions.php file:

add_filter('login_errors',create_function('$a', "return null;"));

This will remove the error message displayed above the username and password box.

You can use plugins such as Google Authenticator and Login Dongle for an extra layer of security. Google Authenticator is a great plugin that adds a two-step verification to your WordPress blog, as the name suggests – similar to Google Account security. Enter a password and a code sent your mobile phone.  Login Dongle plugin generates a bookmarklet with a secret question.

Secure Your Device

Make sure your workstation, PC, mobile, tablet or alternate device is fully secure and automatically updated. The antivirus software and the operating systems should also be updated to the latest release. Set secure passwords for all authentication vectors. These passwords should be complex and should also be changed frequently.

The PCs and servers should be equipped with the latest and the best anti-virus software and be secure from all malware threats. This should include periodic cleaning of harmful bugs. Firewalls should be installed at every level: operating system level, router level and even Internet service protocol level. This should ensure that all the PCs and web servers of your work station are secure.

Don’t Share Your Login

Just like any other secured networks or accounts, you should be careful not to share the username or password with anybody you don’t fully trust. Even in the worst case scenario where you have hired a webmaster to manage your website, ensure you do not share your username or password. You can create separate accounts for them with customized permissions.

Secure Your Content

While uploading content to the website, ensure that the content itself is authentic and is downloaded from safe/reliable sources. Even when you are uploading a script, you need to be cautious as there can be malwares intentionally designed to harm your website.

This is not intended to be an exhaustive list of all possible ways of securing your WordPress installation, but it does give you a handy list of WordPress security issues to consider and ways of addressing them, whether by the use of purpose-specific plugins or simple actions you can take.

Feel free to add more methods in the comments below.

Amit MalhotraAmit Malhotra
View Author

Passionate about web and technologies, Wordpress, SEO/SEM. A full time SEO/SEM Professional, based in New Delhi, India, helping clients from around the world to gain good rankings on search engines.

Share this article
Read Next
Get the freshest news and resources for developers, designers and digital creators in your inbox each week
Loading form