WordPress Security Guide

Wordpress Security Guide - image wordpress-security on https://trunk.ly

Wordpress Security Guide - image wordpress-security on https://trunk.ly

Is WordPress secure?

WordPress is one of the popular content management systems on the internet. It used to be a simple blogging engine earlier but now it is powering some of the popular media back-ends, shopping carts, and services. With popularity comes the security threat that exploits the core architecture.

WordPress suffers from minor security issues every now and then. Some of these security loopholes are patched quickly due to the active developer community. However, most of the security issues can be avoided by hardening the WordPress setup.

This guide forces the approach of better security practices that you can follow to safeguard your setup from common threats. You’ll learn some common fixes that can help your WordPress setup. You’ll also learn about files which are required to be modified in order to harden the security.

Never take WordPress security issues lightly.

Even minor plug-in or theme change can lead to a security flaw in WordPress. Remember, as software evolves so does the security flaws. The best thing that you can do is take precautions and avoid the common grounds from which security flaws are likely to affect your WordPress site.

Why Do Hackers Hack

I guess you want something a little more than because they can, right?

Unfortunately, this is the reason for a large number of hacking attempts these days. Hackers often leave behind a calling card to show how clever they are. It’s often in the form of a banner, announcing their uninvited presence on your site. It’s a kind of virtual ego trip.

Hackers can cause all kinds of damage on your site.

They might delete your content just for laughs. Others “silently” insert malicious code into a site to carry out some dastardly plan. The webmaster doesn’t usually get any visual clues to show that someone has compromised their beloved site.

Hacking causes chaos to the site owner and is often time-consuming and expensive to clean up. Some of the more common reasons why hacker’s hack include:

  1. To break into a popular site to stage some kind of protest.
  2. To post banners or extremist messages to support their cause.
  3. To insert malware that auto-downloads to the computers of those who visit the pages. This malware can cause all kinds of chaos. They can use it to steal personal data (like credit card details) from the computers it infects.
  4.  To send huge volumes of spam emails from your domain. This action is likely to get your site closed down by your web host. It’s not your fault that millions upon millions of spammy emails leave your server over a short space of time. Despite this, your site cannot be live until you resolve the problem.
  5. To gain a competitive advantage. They may embed links into your pages for their SEO purposes. They might also do it to destroy the SEO of the target site so that it drops out of Google’s search engine results pages (SERPs).

The bad news is that no amount of security on any site can guarantee it’ll be 100% hacker proof. It all depends on the motivation and resources of the hackers involved. You may have seen recent news reports on some very major hacks.

For example, in September 2016, Yahoo revealed that it was the victim of a major hack attack. In that case, hackers breached at least 500 million user accounts. This followed the one billion Yahoo accounts breached in August 2013.

You may have also seen an increase in something called ransomware attacks around the world in 2017.

Those of you in the US will be aware of the controversy over the recent presidential elections. Over there you have the ongoing investigations about possible electoral manipulation from outside the country.

The good news is that once you’ve finished this guide, you’ll be a lot safer than most other WordPress websites. The type of hacker that’s usually responsible for hacking an average website is not going to have the time, patience, or resources to break into yours. Remember, most of these guys look for “soft targets”.

Web Hosting

The threat most people don’t even think about is the hosting company they use for their website. You need to do a few checks and be aware that the cheapest option is not always the best.

If a web host offers really cheap hosting, it can mean the following:

  • Plenty of people who want cheap hosting will be signing up.
  • Accepts any type of site, meaning your website may be on the same server as porn, gambling, and other undesirable topics. These may be more vulnerable to hacking attempts because of their content.
  • They will likely cut a few corners. Security costs money so it could be one of the weaker aspects of your host.

At the very least, you should:

  • Check what version of PHP and MySQL (or MariaDB) the web host uses. These are both required for WordPress sites and should be kept up to date. This minimizes the chance of any security breaches.
  • Ask your host what other security measures they take to protect your website. Do they regularly back their servers up? And in the event of a disaster, would they reinstate your site for free or a fee?  How often do they carry out server maintenance?  Anything specific to prevent hackers?
    If you have an interest in my personal recommendation, you can read my Siteground Hosting Review

Getting Started with WordPress

Security WordPress security hardening requires editing of the following files – php.ini, wp-config.php and .htaccess. If you don’t know how to edit files on your webserver then you have to either hire someone to do this for you or ask your hosting support team for help.

What are these Files? In this guide, we are going to discuss files like php.ini, wp-config.php and .htaccess. You’ll notice that most of the security issues are fixed by modifying these files.

  • .htacccess – This file holds the configuration settings on per directory level in Apache web server.
  • Wp-config.php – This file has WordPress database credentials and auth keys. It can be used to execute Core settings while running WordPress.
  • Php.ini – This configuration file is used to customize the behavior of PHP on runtime level.

Note: Making a small mistake in editing .htaccess can make your WordPress website inaccessible. Make sure you do the editing manually.

If you’re not sure how to edit this file, contact me. Keep a backup of your .htaccess file before you modify it. Some of the changes in .htaccess can be done using a plugin, use such plugins wherever if you’re not comfortable editing the file manually.

Microsoft Web Server

This guide focuses on the security fixes that are applicable to the Linux web host running Apache web server. If you’re running Microsoft IIS servers then fixes related to the .htaccess do not apply to your case. However, php.ini and wp-config.php fixes are still applicable. I suggest consulting with your web hosting company to harden your WordPress setup on Microsoft web server.

File Permissions

Each file on the Linux or Unix based web server has read, write and execute levels. Users who access these files are divided into three groups – user (owner), group and the world. You can make your website more secure if you set the file permissions that restricts the anonymous users and group from modifying them. As you can see by default webserver sets some permission levels for you. Common permissions that you’ll find on a web server.

  • 755 – User can read, write and execute a file, whereas group and the world can execute and read the file. 644 – User can read and write, whereas group and the world can read.
  • 777 – User, group, and the world can read, write and execute.
  • 400 – User read only. Group and the world have no permissions.
  • 444 – All user levels can read.
  • 600 – User can read and write, whereas world and group have no permissions.

As you can see the level of strictness from these permissions, you should stick to 644 and 755 when you modify the permission levels. By default, WordPress sets file permission to 644 and folder permission to 755.

You should never set any file or folder to permission 777. Some cache plug-ins require you to set the permission of the plug-in folder to 755, if your webserver overrides it to 644. Permission settings vary from one host to another. It also depends on the Operating system that is used on the hosting account. You may find a completely different way to set the permission level for windows server.

When you upload the files to the webserver via FTP or web-based uploader, check the permissions.

Local Computer Security

Some of the security issues can be prevented by keeping your local computer secure. That way, you don’t end up uploading insecure files on your webserver.

  • Make sure you have updated anti-virus.
  • Check your computer with antimalware for malicious scripts on regular basis.
  • Update your computer security fixes for your operating system.
  • Keep your browser updated. Only use secure browser add-ons.
  • Make sure you turn on the firewall.

Secure Passwords

Wordpress Security Guide - image password-security on https://trunk.lyThere are some of the services that offer to generate secure and longer passwords. Here are some of the options to generate the secure passwords. You can also use programs like Lastpass to store your passwords and use it for the autologin.

Password Managers:

  1. LastPass
  2. KeePass
  3. RoboForm

Don’t store the passwords in the normal text or word files. Don’t store the passwords in the FTP programs. Don’t store passwords in any program that gives access to any other user than you.

Backup your WordPress

Wordpress Security Guide - image backup-wordpress-properly on https://trunk.ly

The only real way to make your website safe is to back it up. Whatever happens after that, at least you’ll always have the files saved to replicate the site again. Even if it means starting over, it’s still better than losing everything.

With traditional HTML-based websites, backing up is a simple process. You just copy the files on your hosting server to your own computer (download), and that’s your full backup. WordPress is a little more complicated, though.

A WordPress website consists of two main parts:

1. The files. This includes the WordPress core files, plugins, themes, and uploaded files like images, and settings.

2. The Database, which stores all your website content.

For a full WordPress website, you need to back up the files AND the database.

There are a lot of tools and plugins available to help you backup your WordPress website. It’s important to check what they back up-exactly.

Some only do partial backups like the database. The more useful ones will backup both the database and all the files.

You may think that the only way to do a proper backup is to do a full one. First, you need to be aware of the file size of these backups.

The database-only backups are typically 1-5 MB in size. You can even have these emailed to you.

Full backups can be gigabytes (GB) in size, and they use a lot of server resources to process. Clearly you cannot receive these by email.

The solution is to use a plugin like UpdraftPlus. There’s a free version which is more than adequate for most users. The premium version is great for anyone who needs more power and options.

UpdraftPlus‘ free version can automatically backup your site to a remote storage location on a predefined schedule. It includes popular online storage like Dropbox, Google Drive, and Amazon S3, to name a few. If anything should happen to your hosting server, you have offsite backups to fall back on.

Installing & Setting up UpdraftPlus

As with most trusted plugins, you can find it in the WordPress repository. You just log in to your WordPress Dashboard and go to “install a new plugin.”

Search for “updraft”.

Wordpress Security Guide - image updraftplus-wordpress-backup-plugin on https://trunk.ly

As I write this guide, you can see the plugin is actively in use by 1+ million websites. It was also updated fairly recently. Both of these metrics provide you with clues to show it’s a trusted and actively updated plugin (something you should always look out for).

Install and activate Updraft.

Once active, you’ll find a new menu under the Settings menu, called UpdraftPlus Backups.

Wordpress Security Guide - image updraftplus-settings on https://trunk.ly

In your case, there won’t be any backups yet.

I recommend the first thing you do is click the Backup Now button.

You need to choose what to include in your backup, so choose database and files. You’ll notice the disabled box referring to remote storage.

Since we haven’t set up remote storage yet, it isn’t an option. The program is currently set to store the backup directly on your web server.

However, a backup is not much use if we store it on a hacked server. This is why we really need to setup some off-site storage.

OK, now cancel the backup and click on the Settings tab.

Wordpress Security Guide - image updraftplus-remote-storage on https://trunk.ly

At the top of this screen, you can choose the frequency of automated backups.

The frequency you choose will depend on how often you update your site. If you don’t update the site at all, then leave both database and file backups as monthly.

If you update weekly, set the database to weekly but leave the files as monthly.

If you update on a daily basis, set the database frequency to at least daily. The file backup frequency is up to you. But remember, it takes more server resources to back up the files. They’re also a lot bigger in size, and therefore use more bandwidth when uploading to your off-site storage.

Personally, I leave files as monthly for all my sites and then adjust the database, depending on how frequently I update the site.

When you set the frequency, you can also choose how many backups to keep. The only real concern here is how much space you have on your remote storage. I would recommend you always have a minimum of at least three months of backups. Therefore, if backups are monthly, keep 3. If they’re weekly, keep 12.

You can now choose the remote storage option.

  1. Click your chosen remote storage to select it, and then scroll to the bottom of the page to save the changes. I’ve chosen Dropbox for mine.
  2. During the process of setting up a storage option, you’ll have to authorize UpdraftPlus to log into the chosen site. The note below is for Dropbox:

Wordpress Security Guide - image updraftplus-dropbox on https://trunk.ly

Once you’ve saved the settings you need to click the link and sign into Dropbox to complete the authorization.

When done, you can continue to scroll down the settings of this plugin. This is where you choose which files to backup, and those to exclude—if any:

Wordpress Security Guide - image updraftplus-files-backup on https://trunk.ly

There’s also a useful option to have an email report sent with the backup details.

Now click the save button at the bottom of the screen. That’s all there is to it.

Over on the current status tab, you should now have a “Next Scheduled Backups” date. You’re free to manually create one now, as well as clicking the Backup Now button. You can now see the option to: Send this backup to remote storage:

With backups done, you now have everything you need to restore your site to its present glory in any eventuality. It’s effectively 100% secure already.

With the site backed up, let’s now learn of the threats to your website security.


Plugins are basically pieces of code that add new features to your WordPress site.

Since code can control pretty much every aspect of a site, including malicious things, you need to be sure you can trust the plugins you use.

Although much of this is also common sense, here are a few helpful tips:

  • ·Only install plugins from trusted sources. The WordPress repository is the main trusted source. Sometimes, you may want to buy something that isn’t in there. In these cases, do your due diligence and check out reviews and customer comments on those plugins.
  • Developers who create free plugins come in two forms. There are the good guys who are happy to help and want to create a useful, free plugin with no strings attached. Then there are those who want to profit from their free plugin. There are a number of ways to do this. The most common method is to give away a free trial version. They hope you’ll upgrade to a paid version with more features and functions after the trial period. These can be fine but again, do your due diligence.
    The type of plugin to be wary of are those which include code that doesn’t directly contribute to the functionality you’re trying to gain. For example, a mortgage calculator that adds a link back to the lender’s website. In this case you want the functionality of the calculator. Yet the bank has included other, unrelated code, to that function. In this case, it’s a link pointing back to their website. My advice is to avoid this type of plugin at all costs.
  • Always keep plugins up to date. Be wary of those that have no known updates, or have not had an update in a very long time. There are also legitimate plugins that just don’t get updates. For example, they use secure code and the author doesn’t want to add new features. These are fine. If there’s a plugin you want, but it’s been a while since its last update, check it out on Google. Use a search term like “plugin name + security” to see if there are any reported issues.
  • If you deactivate a plugin, uninstall it altogether. Even inactive plugins CAN cause security problems if they contain vulnerable code.


Themes, like plugins, add code to your website.

The same kind of common sense measures we talked about for plugins also apply to themes. Here are some guidelines.

  • The WordPress theme repository is a safe place to get themes. Many people still want to look further afield to find the best themes for their website. Be careful where you get yours from. Again, do a search on Google for the theme in question and see whether it appears to be from a trusted source.
  • Some authors offer free themes. They usually include a link in the footer (or elsewhere) back to the developer’s website. On the face of it the deal looks sweet. NEVER use a theme that forces this type of site-wide link on you, no matter how subtle. Why? You have no control over the destination website attached to that link. The link may redirect, either now or later on, to any site the author chooses, .e.g. porn, gambling, and so on. This type of site-wide footer link will also cause you SEO problems in Google. The search engines don’t like them, not even if the site it links to is a trusted one.
  • Keep themes up to date and install updates as soon as you know about them. Theme developers might release an update to add new features, but it could also be to plug security holes.

WordPress Security Fixes

Here are some of the security fixes that you should apply for hardening your WordPress setup. Most of the fixes in this chapter can be applied with the help of a plugin.

There are also some of the fixes that requires you to be a careful while editing php.ini and .htaccess files. As changing them can affect your WordPress setup.

Replace Admin User

By default WordPress, a user is set to “admin” and many hackers use the default “admin” user for the attack. In order to remove the default user, you need to first create a new user with your custom name. Once you do that you can set that user as admin and then remove the default “admin” user. That way hackers can’t guess the new administrative account name. If you do plan to use the default admin user account, then avoid posting articles or any sort of content. You can setup editor account for the content and other management purposes. Keep the admin level account only for the administrative work. You can also rename the admin username from the PHPMyAdmin SQL query window.

Run the following query

UPDATE wp_users SET user_login = 'your_new_login' WHERE user_login = 'admin';

Where your_new_login is the new name of your user.

You can also verify the new change in the tables by checking the tables in the WordPress database.

You can try these plugins to do the job Admin renamer extended, Username Changer, WPVN – Username Changer.

Use a Strong Password

Make sure your password has – upper and lowercase characters, special symbol and numbers. If you use Cpanel Installers like Fantastico or Softaculous then the password for the setup is selected by the respective installer. In order to have better security, you should change the default password given by any such installer. Use LastPass password generator tool for creating strong and safe passwords for your WordPress installation. If you can’t remember long password then Lastpass is very handy for remembering such passwords.

Worth Mentioning

  • Secure Password Generator – generates a unique set of custom, high quality, cryptographic-strength password strings which are safe for you to use.
  • SuperGenPass – A master password and the domain name of the Web site you are visiting is used as the “seed” for a one-way hash algorithm (base-64 MD5). The output of this algorithm is your generated password. You remember one password (your “master password”), and SGP uses it to generate unique, complex passwords for the Web sites you visit. Your generated passwords are never stored or transmitted, so you can use SGP on as many computers as you like without having to “sync” anything.
  • Password Safe – Whether the answer is one or hundreds, Password Safe allows you to safely and easily create a secured and encrypted user name/password list. With Password Safe, all you have to do is create and remember a single “Master Password” of your choice in order to unlock and access your entire user name/password list.

Related Information

Secure the Dashboard

Login Dashboard login page is the place where hackers are likely to attack the most of the times. You can protect the dashboard login page in many ways. You can also customize the dashboard so that hackers don’t use bots to gain access. You can do that by following some of the options like –

  • Changing the login page URL from /wp-admin/ to some other custom name.
  • Limit login attempts with plugins like – simple login lockdown.
  • Use two-factor authentication for additional security to the dashboard.
  • Use e-mail ID instead of the username for logging into the dashboard.
  • Use reCaptcha on the login page.
  • Use invite codes and give them to trusted people to filter any spam bot signups.
  • Add Password Authentication to wp-admin folder

Protecting the folder is much better option to protect your data. The folder “wp-admin” is very important and can be protected by using directory level password authentication. You can use Cpanel or similar other hosting control panels to set the folder password.

Some of the hosts also offer file manager within the browser, which you can use to set the folder permission and set password. Most of the hosting services offer Cpanel or Zpanel which has features related to the security to files and folders. If you’re unsure how to perform this task, I suggest hiring a programmer to do this for you.

Use a .htaccess file in the ‘wp-admin’ directory to limit access to only certain IP addresses. Add the following code in your .htaccess to protect the directory and allow access from certain IP address.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from xxx.xxx.xxx.xxx
# whitelist work IP address
allow from xxy.xxy.xxy.xxy


Change the default table prefix in the WordPress database

By default, WordPress installation script makes use of a predefined table prefix. The default prefix is “wp_”. Changing the table prefix can help avoid some of the common database-related security issues. Softaculous and Cpanel hosting control panel allow you to modify the MySQL or Postgre DB from the browser.

If your installation script finished with the default prefix then you have to manually make changes to the wp-config.php and change the prefix to the custom name.

Once you change the prefix to some other custom name, make the changes in wp-config.php. Edit wp-config.php which is found in your WordPress root directory.

Find the line that reads:

$table_prefix = ‘wp_’;

Change it to:

$table_prefix = ‘newName_’;

Where “newName_” is the new name that you want it to be with the underscore in place. Likewise, you have to rename the other tables with “wp_” prefix and replace them with a new name.

In order to do this, you have to log in to PHPMyAdmin dashboard on your hosting control panel. If you have any other database than MySQL then you have to access respective database administration panel for renaming the tables in WordPress database.

Some of the security plugins allow you to modify the WordPress database prefix even after the installation. You can choose to use that option if you’re unsure how to edit wp-config and changing the prefix in PHPMyAdmin. I suggest this option to anyone who has no idea about modifying PHP files or working with the database.

Move your wp-config.php file

The default location for the wp-config.php often gets targeted by the hackers for the SQL injection attack. You can change the default location of the wp-config.php file to other folders in WordPress directory. WordPress installation will search for this file automatically if it doesn’t find the file in the root folder and will resume the necessary tasks. From WordPress 2.6 onwards you can easily move the location of the wp-config.php file.

Remove Sensitive Information from wp-config.php

Create a new ‘config.php’ file

Create a new file called ‘config.php’.  The file should be created in a non-WWW accessible directory.

For example, if your blog or website content is in /home/youruser/public_html/, then create the file config.php in /home/youruser/ so the file cannot be reached by any of your visitors. Typically this should be a directory before public_html or www directory.

Open the existing WordPress wp-config.php file and move the lines which contain the database connection details, the database prefix and also the WordPress security keys from the wp-config.php file to the new config.php file as shown in the below example.
Add <?php at the beginning of the new config.php file and ?> at the end of the file.

define('DB_NAME', 'Your_DB'); // name of database
define('DB_USER', 'DB_User'); // MySQL user
define('DB_PASSWORD', 'DB_pass'); // and password
define('DB_HOST', 'localhost'); // MySQL host

// The WordPress Security Keys

define('AUTH_KEY',         'Your_key_here');
define('SECURE_AUTH_KEY',  'Your_key_here');
define('LOGGED_IN_KEY',    'Your_key_here');
define('NONCE_KEY',        'Your_key_here');
define('AUTH_SALT',        'Your_key_here');
define('SECURE_AUTH_SALT', 'Your_key_here');
define('LOGGED_IN_SALT',   'Your_key_here');
define('NONCE_SALT',       'Your_key_here');

// The WordPress database table prefix
$table_prefix  = 'wp_'; // only numbers, letters and underscore
Modify wp-config.php file

After removing all the sensitive data from the wp-config.php file, simply add the following line straight after <?php in the wp-config.php file; include(‘/home/yourname/config.php’);. So the first two lines of your wp-config.php should look like this;


Now instead of having all the sensitive information stored in your wp-config.php file, the wp-config.php file is reading such information from a different location. Please note that the include path (i.e. /home/yourname/) varies from one web server or web hosting provider to the other.

When you do that nobody except the person who has the FTP or SSH access will be able to find this file.

You can disable the access to the folder in which wp-config.php resides by creating the .htaccess file and then adding the following code in it.

<files wp-config.php>
order allow,deny
deny from all

Change Default Secret Keys

WordPress has a secret keys system, which is basically a hashing salt that is used against your password to increase its strength. These keys are located in the wp-config.php file.

define('AUTH_KEY', '');
define('SECURE_AUTH_KEY', '');
define('LOGGED_IN_KEY', '');
define('NONCE_KEY', '');

The default keys can be replaced with the newly updated keys from the WordPress.org site.
Point your browser to https://api.wordpress.org/secret-key/1.1

Copy the keys from this page and paste it on your WordPress setup.

Disable HTTP Trace Method

WordPress installations often get attacked by Cross Site Tracing (XST) and Cross Site Scripting (XSS) which together exploits systems which have HTTP TRACE functionality. The HTTP Trace feature is used by the web hosts for debugging purpose. Attacks that involve XST will usually steal the cookie and other sensitive server information via header requests.

You can disable HTTP trace by adding following code to your .htaccess file:

RewriteEngine On
RewriteRule .* - [F]

Secure File Permissions

All WordPress Core Files should have 0644 Default Permissions. This means the files are writeable by user account. Default WordPress Folder Permissions are 0755, that means the file is writeable only by the user and readable by web server and everyone else. If your web host has Cpanel as a control panel, you can use the file manager to change the permissions of the files and folder in your WordPress directories.

Disable File Editing

The file editor inside your WordPress Dashboard is invaluable. It gives you — or any other admin user logged into your account — access to theme and plugin files.

To edit theme files, go to the Appearance menu and select Editor.

To edit plugin files, go to the Plugins menu and select Editor.

The problem we have is that anyone with access to these files can “inject” malicious code into your website. So if the logged in user is a hacker, the consequences can be catastrophic.

The good news is you can disable these editors by adding a single line of code to your wp-config.php file.

I’m going to show you how to do this manually, BUT, this is for information only. The plugin we install in the second part of this guide will do the work for you.

For those who want to do this manually now, here’s how it works.

The wp-config.php file is in the root folder of your website. You can gain access to it by using FTP or the File Manager inside cPanel.

Here’s the wp-config.php file for one of my test sites:

Wordpress Security Guide - image disable-file-editing-wordpress on https://trunk.ly

I’ve drawn an arrow at the point where I’m going to insert the line of code.

Position your cursor in the blank line right before the line that starts:

// ** MySQL settings – …

In this line, insert the following code:

define(‘DISALLOW_FILE_EDIT’, true);

When you’ve done that, save your wp-config.php file and make sure it overwrites the older version.

Now log in to your WordPress Dashboard. You’ll no longer see the options to use the editor.

Protect install.php

There are two ways you can protect the install.php. The first method is to remove the file completely and in second method you have to restrict the access by modifying the .htaccess.

<Files install.php>
Order Allow, Deny
Deny from all
Satisfy all

Protect Sensitive Files by Type

You need to protect some of the files in the WordPress Core.

You can use following code in .htaccess to protect these files in PHP format.

<Files "\.(htaccess|ini|php)$">
Order Deny, Allow
Deny from all
Allow from xxx.xxx.xxx

Deny Harmful Query Strings

Add the following code in your .htacces file to help prevent XSS attacks.

RewriteCond %{QUERY_STRING} ../ [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag= [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} http: [NC,OR]
RewriteCond %{QUERY_STRING} https: [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} .([|]|(|)|<|>|'|"|;|?|).* [NC,OR]
RewriteCond %{QUERY_STRING} .(%22|%27|%3C|%3E|%5C|%7B|%7C). [NC,OR] RewriteCond %{QUERY_STRING} .(%0|%A|%B|%C|%D|%E|%F|127.0). [NC,OR] RewriteCond %{QUERY_STRING} .(globals|encode|config|localhost|loopback). [NC,OR] RewriteCond %{QUERY_STRING} .(request|select|insert|union|declare|drop). [NC] RewriteRule .*$ - [F,L]

Disable Folder Browsing

Keeping your WordPress directories accessible to the anonymous users, in turn, help hackers collect information about the plugins and WordPress setup. This can be prevented by disabling the folder browsing on your server.

There are two ways to disable folder browsing.

  • You can create index.html in each folder of your WordPress setup. This way users can’t view the rest of the folders in the hierarchy.
  • If you use Linux server, then you can type the following code in your root folders .htaccess file.

Options -Indexes
In a case of Windows server, you need to upload the index.html in every directory of WordPress directory.

Hide PHP Disclosure Information

By default, PHP installation discloses the version information via HTTP headers. e.g. “Powered by: PHP/version”. This is a big security risk because if your PHP version is old, hackers can use this to their advantage and run security attack.

You can turn this feature off by modifying the php.ini file. expose_php = Off

Another security hack that can be done on php.ini is disabling the errors on your server. e.g. When you have any issues with the WordPress setup, it shows the specific error on a page, including the internal directory path.

This can be disabled by modifying the following line in PHP.ini file. display_errors = Off
Once you apply these two fixes, you can verify if you still see HTTP header and the PHP error page to make sure the information is not there anymore.

If you can’t modify the php.ini file, then you need to add a special line of code to your wp-config.php file. You can find this file in the root folder of your domain.

The simple line of code is as follows: error_reporting(0);

Place the code right after the opening <?php tag and above all the other code in the file.

Login Page Protection

The login page for your website is the main gateway to access your Dashboard. It’s often the first port of call for hackers.

If you protect your login page, you reduce the chance of a hacker gaining access.

Fortunately, there are a few ways to protect the login page. You can rename it, move it, add a Captcha, or block certain IP addresses.

Some methods of protection are more effective than others. The plugin we install in the last part of this guide gives us some great options, so no need to worry about this right now.


XML-RPC is a programming interface (API). What it does is allow programmers and developers to talk to WordPress.

A lot of tools may need XML-RPC to work properly. For example, I use Open Live Writer to work offline on my websites. This gives me a WYSIWYG (What You See Is What You Get) editor. I use it to create and format posts or pages that I can then publish to my site when I’m ready. Open Live Writer requires XML-RPC to be enabled for it to work.

Some plugins also need XML-RPC, like Jetpack.  Since WordPress 3.5, XML-RPC is enabled by default.

The problem we have is that software can manipulate WordPress through the XML-RPC. This makes it a possible security concern. In fact, a lot of WordPress gurus recommend you disable it.

In the past, hackers used XML-RPC for something called DDoS attacks. It stands for “Denial of Service.”

Plugins like Akismet can usually spot this type of attack and prevent it. Therefore, it may not be worth switching off XML-RPC to stop DDoS attacks.

Hackers also extensively used XML-RPC for brute force attacks. But again, most security plugins will prevent this type of attack today, so it’s not worth worrying about. The plugin we setup later also prevents this type of attack.

My suggestion is not to disable it. If you decide you want to, then there are plugins that can disable it for you. Check out “Disable XML-RPC Pingback” and “Disable XML-RPC”.

Use Suhosin for PHP

Hardening on Your Server Suhosin is an advanced protection system for PHP installations and helps keep the web server safe from common PHP vulnerabilities. Most of the modern web servers have Suhosin installed, in case if your server has no Suhosin, you may need to get in touch with web administrator to install it for you.

Delete Unused Plugins and Themes

Remove the unused plugins and themes from the setup. If you’re not planning to use them anytime soon, it is better to get rid of them. If you don’t want to delete them, at least keep them updated. Keeping the unused plugins and themes just increase load on your security checklist. If any of such plugin has security flaws, it also affects your setup even if you are not using it on the website.

Disable User Registration

Most of the WordPress setups are operated by a single user. Unless you are using multi-user WordPress setup, you don’t need the registration feature in the WordPress. You can always create the users manually inside the WordPress dashboard and let the authors log in. Make sure “Anyone can register” option is unchecked in Settings – General page.


Stop Search engines from Browsing Directories (Optional)

Add the following code in your robots.txt from searching and indexing WordPress directories.

User-agent: *

Disallwo: /cgi-bin/
Disallow: /trackback/
Disallow: /wp-admin/
Disallow: /xmlrpc.php
Disallow: /wp-login.php
Allow: /wp-admin/admin-ajax.php
Sitemap: http://yourdomain.com/sitemap.xml

Enable Logging And Archiving For Apache

Apache Logging can help you understand how the intrusion happened in WordPress Setup and point to the security flaw in Plugin or Theme. You have to enable logging and archiving of the Apache web server access logs. If your web host has Cpanel as control panel then you can enable this feature by following these steps. Check the Logs group. Click on Raw Access Logs icon. Select “Archive logs in your home directory”.

If you are on Windows hosting server, you have to write a support ticket and let the server administration support team sort this out for you.

Secure PHP Installation

Set the following attributes in php.ini to Off. Each of the disabled function helps keep your WordPress setup secure.

register_globals = Off
allow_url_fopen = Off
short_open_tag = Off
display_errors = Off
display_startup_errors = Off
log_errors = On
magic_quotes_gpc = Off
magic_quotes_sybase = Off

Set the register_globals to OFF so that you can stop the hackers from modifying the variables in PHP. Setting allow_url_fopen to Off will stop users from including and executing code from other websites in the PHP code. Set short_open_tag to OFF will make PHP code interpretation more strict.

Setting display_errors and display_startup_errors to OFF will prevent the users from reading the path of the themes and plugins if they throw any errors. And Setting log_errors to ON will enable error logging which helps during cases of a malware attack or intrusion attack. The magic_quotes_gpc and magic_quotes_sybase are set to OFF so that content with quotes is filtered properly and quotes are not being used for the attack.

If enabling any of these features in PHP.ini reduces the ability of WordPress setup for your work. You can turn each such feature off respectively. You don’t have to sacrifice any feature at the expense of hardening which may sometimes be handled in another way more effectively. You can also kill the execution of PHP in certain folders.

However, I don’t recommend this method because sometimes the plugins and folder cease to work.

If you want to stop PHP file execution in certain folders, just create a .htaccess file and add the following code into it.

# Secure [Directory Name]
<Files *.php>
Order Allow, Deny
Deny from all

Usually, you can use this code in the .htaccess file that can be placed in /uploads and /wp-includes directory. However, I suggest testing the files on a local server before deploying this hack on the live website.

WordPress Security Plugins

Free or Premium Plugin

It is not easy to select the type of the plugin suitable for your setup. Some of the premium plugins are suitable if your WordPress data is critical for your business. If you run a hobby blog or non-commercial blog, you don’t have to invest into a premium plugin. Keep in mind, the more important data that is being handled by WordPress, the harder your security setup should be.

How Many Plugins?

I have listed plenty of plugins for you to choose from and to install on your dashboard. However, you don’t have to install a lot of plugins. For example, If you are the only person to log into your WordPress dashboard, you don’t need many login security plugins. You can use the plugins that get you minimal security without having to reduce the performance of your WordPress setup. Do note that some of the hosts do not allow certain WordPress plugins.

So always consult with your hosting service before attempting to use any plugin that modifies your WordPress setup. e.g. Wpengine and Zippykid hosting services have their own guidelines on which type of plugin you can use for cache and security.

How to Choose a Plugin?

In order to choose a right plugin for your WordPress setup, use the following checklist.

✔ Check for the number of downloads. Select the higher downloaded plugin.
✔ Check how many issues are reported in plugins forum in WordPress.org site.
✔ Check the plugin authors activity in the Forum.
✔ Check the number of updates of the plugin. Ignore the star rating of the plugin.
✔ Check how the plugin makes use of unique namespace items.
✔ Check how the plugin makes use of settings API in the features.
✔ Check the Hooks, Filters, and Actions inside the plugins.
✔ Check if the plugin has properly sanitized data and MySQL statements.
✔ Choose the plugin that does one task really well.
✔ Check the plugins that use nonces instead of browser cookies. If the more than one plugin does the same task, choose the plugin with higher download count and reviews.
✔ Check the reputation of the plugin author in the WordPress community.

These are the criteria to look at while selecting the security plugin from the wordpress.org repository. If you choose to install the premium version of the plugins then you have to search online for the reviews. Also, test drives their free plugin or trial service before you buy the plugin.

Essential WordPress Security Plugins

Installing some of the essential plugins can ensure safety to your WordPress setup. Here are some of the plugins that I have personally used on many WordPress sites.

  1. Login Lockdown
  2. Shield Security
  3. Block Bad Queries
  4. WordPress File Monitor
  5. WP Security Scan
  6. Wordfence
  7. Sucuri Security
  8. Antivirus
  9. Wp Security & Firewall
  10. MalCare

WP Security

Wordpress Security Guide - image wp-security-plugin-wordpress on https://trunk.lyThis plugin can help you run some basic security checks on your WordPress setup. You get to make few fixes from your plugin options page. You can install this plugin, run the scan and fix the minimal security issues. Once cleared the basic security fixes, you can uninstall the plugin.

The WP Security scan plugin does following changes to make your WordPress installation more secure –

  • Change the prefix wp_ to a new custom name of your choice.
  • Hide the WordPress version
  • Set .htaccess in Wp-admin folder.
  • Remove default admin user
  • Remove WP ID meta tag.
  • Turn off database reporting errors.
  • Update notification to WordPress update.

Sucuri WordPress Security PluginWordpress Security Guide - image sucuri-plugin-wordpress on https://trunk.ly

Sucuri plugin improves the WordPress security by adding –

  • A Web Application Firewall
  • Integrity Monitoring
  • Audit Logging and Activity Reporting
  • 1-click Hardening
  • Server Side Scanning

This is a premium plugin and contains feature like 1-click hardening, which is not usually given by most of the free plugins in the WordPress directory.

Wordfence PluginWordpress Security Guide - image wordfence-plugin-wordpress on https://trunk.ly

The plugin is available in free and premium version. If you install the free version, it lets you –

  • Verify the integrity of the WordPress core, themes, and plugins.
  • Keep WordPress updated and notify new updates.
  • Scan your WordPress installation for malware, backdoor scripts, and phishing.

The premium version of the plugin offers scheduling scans, IP blocking, and remote security scans.

Shield SecurityWordpress Security Guide - image shield-security-wordpress-plugin on https://trunk.ly

WordPress Firewall avoids SQL injection attacks, brute force attacks, and Spambot registration attacks. It also notifies you via email when any live attack happens on your site. If you don’t like email notifications, you can disable it. It also comes with one handy feature which allows you to block the IP that regularly attempts to attack your WordPress setup. You can also blacklist certain IP address for additional protection. If you want some of the IP address in a whitelist, the plugin has an option that lets you do that.

MalCare Security Solution

Wordpress Security Guide - image malcare-wordpress-security-plugin on https://trunk.ly

MalCare is from the makers of BlogVault Backup and Security plugin. This is one heavyweight plugin that is incredibly light on your own server. That’s because security hardening features, from Scanning and Cleaning malware, to blocking bad actors using Firewall, all processes run on MalCare servers.

Additionally, MalCare provides these power-packed features:

  • MalCare’s regular scans alerts to hacks immediately so your sites are always secure.
  • The auto-clean feature makes sure that you can scan, and clean your sites by yourself, so you don’t waste precious time looking for outside help.
  • The Firewall stops malicious bots from gaining unauthorized access to your site while the Captcha based protection limits the number of failed login attempts.
  • Manage and update plugins, themes, users and more from one single independent dashboard. MalCare is perfect for agencies and businesses because of its white-labeling and automated client reporting features..

Block Bad QueriesWordpress Security Guide - image block-bad-queries-wordpress on https://trunk.ly

Block bad queries plugin is designed to monitor the request URI in the WordPress dashboard. This way it can filter out some of the common attacks. This plugin checks for excessively long request strings (i.e., greater than 255 characters), as well as the presence of either “eval(” or “base64” in the request URI. Block bad queries does a completely different job to that of WordPress firewall 2. So it is necessary to have this plugin installed with WordPress Firewall 2.

WordPress File MonitorWordpress Security Guide - image wordpress-monitor-plugin on https://trunk.ly

This plugin keeps track of every change in the WordPress installation. It keeps log of the changes in the files of WordPress directories. It notifies you of the changes that take place in the files. If any hacker gets access to your themes and plugins and rewrites new information on any of the file, you’ll get the notification of the changes. This plugin is handy to understand which file to rollback in the previous state. You can use the backed-up files to restore the unaffected file in that place. In order to do this, you need to have a different backup plugin or manual backup on regular basis.

Limit Login AttemptsWordpress Security Guide - image limit-login-wordpress-plugin on https://trunk.ly

When a hacker tries to get into a site, they might use special software tools. They use these to launch something called a brute force attack.

Their software programs try thousands, or hundreds of thousands, of usernames and password combinations. They can do this in a very short space of time. The way to prevent attacks of this type is to limit the number of login attempts.

If a user fails to log in after X attempts, the system locks their IP address for a set length of time. Once the time expires, they can try to log in again. It’s a sensible precaution. It’s there so that genuine users — who accidentally mistype their passwords — can access their site after the lockout period. As for the hackers, the delay is usually long enough for them to give up and move on to an easier target.

Login Security Solution

It keeps track of some failed login attempts and slows down the response times. This, in turn, reduces the brute force attacks on the login page.

AntivirusWordpress Security Guide - image antivirus-wordpress on https://trunk.ly

Antivirus plugin helps your WordPress setup by scanning the files for malware and virus. This plugin detects every single change in file and reports in the dashboard. It does raise the false positives sometimes when it triggers the change in require_once, includes and other updated snippets which are genuine yet reported as malicious code. If any theme uses eval, base64_decode or shell_exec then It’ll notify in the report. You can then replace such themes with those which has a more secure code.

Cloudflare for SecurityWordpress Security Guide - image Cloudflare-HTTPS-WAF-update on https://trunk.ly

Cloudflare offers CDN service which automatically blocks the common threats. It filters all the incoming traffic to your site and protects you from comment Spam, excessive bot crawling, malicious attacks like SQL injection and denial of service (DOS) attacks and more. Other than security, It also caches your static content and serves them to the repeat visitors. They offer a free plan for the CDN and Security, so you can take advantage of their service before opting for the premium plans. Some of the plugins notifies for scan once every month. You should run the security scan every week depending on your website traffic. If you can’t afford premium plugin for backup, you can install free plugins that can do the job for you.

Dedicated WordPress Hosting

There are some of the dedicated WordPress hosts which offer custom installs with better performance than your average shared hosting. The first thing they offer is the simplicity of installation. You just have to add your domain name and click few buttons to get inside the dashboard of your new WordPress install. They have suggestions and limits for the type of plugins that you can use. So they pretty much make sure that your website has less downtime from the security front. These web hosts are optimized for better performance of WordPress Install. They are not your typical cheap shared hosts. So expect to spend some bucks if you want to migrate your websites to their infrastructure.

Here are some of the dedicated WordPress Hosts worth checking out –

  1. Siteground
  2. WPEngine
  3. Synthesis
  4. Pressable
  5. Page.ly

There are many other web hosts that offer managed WordPress hosting service. Make sure you read the testimonials from other customers and discuss which plugins can be used on the hosting service before your purchase their hosting plan. If you are searching for such dedicated hosts for WordPress hosting.

I suggest first collecting the reviews and then choose which hosts meet your requirement. Ask all the questions you have about the hosting service related to performance and security. Compare the answers of all the hosts and then choose which is perfect for your budget and requirements.

Managed or dedicated hosting services are only good if you are serious about caching, performance and security for your website.

Identify and Fix a Hacked WordPress Website

Your website is hacked, and you don’t know what to do next. Here are some of the things that I think you should do.

  • Take the WordPress into the maintenance mode.
  • You can then export the post data from Tools > Export. Keep that backup on your desktop. Scan and manually check that XML file for any injected code.
  • Notify your web host about this incident. Check the security logs on your web hosting account for the record of intrusion.
  • Change the passwords of your hosting control panel, FTP, domain name and email ID associated with these accounts.
  • Change the passwords in wp-config and also change the authentication keys with new set of keys.
  • Remove the old themes and plugins from the setup.
  • If there are too many fixes to the WordPress code, install fresh WordPress setup.
  • Check the file permissions on the web server. Make sure that none of them are set to 777. Use sucuri or exploit scanner to check the files on the web server.
  • Make sure other sites in the hosting account are not affected by doing a security audit of those accounts.
  • Check for the malicious files in the hosting account.
  • Do fresh install if you find any security issues with WordPress.

Wordpress Security Guide - image how-to-fix-hacked-wordpress-site_infographic on https://trunk.lyAsk for Help

You may be expert WordPress user but there are many things that you can’t do from your end unless you know what and how to fix. In such case, it is better to ask for help from the hosting support team or the expert who knows how to fix things.

When you contact them for the fixing WordPress issues, be prepared to offer them following things –

  • Keep your backup and download it to your local drive before you give access to your hosting account.
  • Keep your server logs backup.
  • Explain your problem to them.
  • Point out the issue with the help of screenshot or URL if possible. Ask them to explain to you what was the problem once they finish their fixes.

You can always ask for help in official WordPress forums.

There are also many WordPress security professionals who can help you for fixed fees.

Security Checklist

Use this checklist to fix and maintain your WordPress website. Keep your website safe and secure, by prioritizing the tasks.

WordPres Security Setup Checklist

  • Keep your WordPress setup secure by executing these tasks.
  • Install WordPress Backup Plugins.
  • Install login security plugin.
  • Install Security scan plugin.
  • Remove unused themes and plugins.
  • Perform basic WordPress setup hardening.
  • Schedule automated website backups.

WordPress Security Maintenance Checklist

Once you set up the security measures for your WordPress site, don’t forget to maintain it regularly.

  • Perform security hardening with php.ini and .htaccess.
  • Schedule backups. Remove unnecessary security plugins.
  • Remove unused plugins and themes.
  • Search for bad files in the server logs.
  • Check server logs for intrusion attacks.
  • Check the security issues with updated version of plugins.
  • Check the issues with WordPress update.
  • Take a backup of MySQL, WordPress files, and other media files.

Website Information Checklist

Make sure you have this information stored securely. If you have more than one website, then make sure you keep all this data in spreadsheet hosted in some encrypted drive or online service.

  • WordPress Logins
  • Domain Registrar Login
  • Hosting Account Login
  • Email Logins & Settings
  • FTP Login Information
  • Google Accounts
  • Backup service login

Here are some of the resources that you should keep a tab on for more information on WordPress security.


Add comment

» About Us

Trunk.Ly is an online WordPress resource which focuses on WordPress tutorials, How-to’s and more. The main goal of this site is to provide amazing information on anything everything about Blogging.

» Useful Links