Wordpress Security Guide - image  on https://trunk.ly

Is WordPress secure?

WordPress is one of the popular content management systems on the internet. It used to be a simple blogging engine earlier but now it is powering some of the popular media back-ends, shopping carts, and services. With popularity comes the security threat that exploits the core architecture.

WordPress suffers from minor security issues every now and then. Some of these security loopholes are patched quickly due to the active developer community. However, most of the security issues can be avoided by hardening the WordPress setup.

This guide forces the approach of better security practices that you can follow to safeguard your setup from common threats. You’ll learn some common fixes that can help your WordPress setup. You’ll also learn about files which are required to be modified in order to harden the security.

Never take WordPress security issues lightly.

Page Contents

Even minor plug-in or theme change can lead to a security flaw in WordPress. Remember, as software evolves so does the security flaws. The best thing that you can do is take precautions and avoid the common grounds from which security flaws are likely to affect your WordPress site.

Getting Started with WordPress

Security WordPress security hardening requires editing of the following files – php.ini, wp-config.php and .htaccess. If you don’t know how to edit files on your webserver then you have to either hire someone to do this for you or ask your hosting support team for help.

What are these Files? In this guide, we are going to discuss files like php.ini, wp-config.php and .htaccess. You’ll notice that most of the security issues are fixed by modifying these files.

  • .htacccess – This file holds the configuration settings on per directory level in Apache web server.
  • Wp-config.php – This file has WordPress database credentials and auth keys. It can be used to execute Core settings while running WordPress.
  • Php.ini – This configuration file is used to customize the behavior of PHP on runtime level.

Note: Making a small mistake in editing .htaccess can make your WordPress website inaccessible. Make sure you do the editing manually.

If you’re not sure how to edit this file, contact me. Keep a backup of your .htaccess file before you modify it. Some of the changes in .htaccess can be done using a plugin, use such plugins wherever if you’re not comfortable editing the file manually.

Microsoft Web Server

This guide focuses on the security fixes that are applicable to the Linux web host running Apache web server. If you’re running Microsoft IIS servers then fixes related to the .htaccess do not apply to your case. However, php.ini and wp-config.php fixes are still applicable. I suggest consulting with your web hosting company to harden your WordPress setup on Microsoft web server.

File Permissions

Each file on the Linux or Unix based web server has read, write and execute levels. Users who access these files are divided into three groups – user (owner), group and the world. You can make your website more secure if you set the file permissions that restricts the anonymous users and group from modifying them. As you can see by default webserver sets some permission levels for you. Common permissions that you’ll find on a web server.

  • 755 – User can read, write and execute a file, whereas group and the world can execute and read the file. 644 – User can read and write, whereas group and the world can read.
  • 777 – User, group, and the world can read, write and execute.
  • 400 – User read only. Group and the world have no permissions.
  • 444 – All user levels can read.
  • 600 – User can read and write, whereas world and group have no permissions.

As you can see the level of strictness from these permissions, you should stick to 644 and 755 when you modify the permission levels. By default, WordPress sets file permission to 644 and folder permission to 755.

You should never set any file or folder to permission 777. Some cache plug-ins require you to set the permission of the plug-in folder to 755, if your webserver overrides it to 644. Permission settings vary from one host to another. It also depends on the Operating system that is used on the hosting account. You may find a completely different way to set the permission level for windows server.

When you upload the files to the webserver via FTP or web-based uploader, check the permissions.

Local Computer Security

Some of the security issues can be prevented by keeping your local computer secure. That way, you don’t end up uploading insecure files on your webserver.

  • Make sure you have updated anti-virus.
  • Check your computer with antimalware for malicious scripts on regular basis.
  • Update your computer security fixes for your operating system.
  • Keep your browser updated. Only use secure browser add-ons.
  • Make sure you turn on the firewall.

Secure Passwords

Wordpress Security Guide - image  on https://trunk.lyThere are some of the services that offer to generate secure and longer passwords. Here are some of the options to generate the secure passwords. You can also use programs like Lastpass to store your passwords and use it for the autologin.

Password Managers:

  1. LastPass
  2. KeePass
  3. RoboForm

Don’t store the passwords in the normal text or word files. Don’t store the passwords in the FTP programs. Don’t store passwords in any program that gives access to any other user than you.

Backup your WordPress

Wordpress Security Guide - image  on https://trunk.lyA first and most important thing to do is backing up your website. Install backup plugins or manually take backup of WordPress. We’ll talk about WordPress backup options later in this guide. Always backup before you update the WordPress to a new version. Never update the live site and take few hours to check the security issues and bugs of the new version before you update.

WordPress Security Fixes

Here are some of the security fixes that you should apply for hardening your WordPress setup. Most of the fixes in this chapter can be applied with the help of a plugin.

There are also some of the fixes that requires you to be a careful while editing php.ini and .htaccess files. As changing them can affect your WordPress setup.

Replace Admin User

By default WordPress, a user is set to “admin” and many hackers use the default “admin” user for the attack. In order to remove the default user, you need to first create a new user with your custom name. Once you do that you can set that user as admin and then remove the default “admin” user. That way hackers can’t guess the new administrative account name. If you do plan to use the default admin user account, then avoid posting articles or any sort of content. You can setup editor account for the content and other management purposes. Keep the admin level account only for the administrative work. You can also rename the admin username from the PHPMyAdmin SQL query window.

Run the following query

UPDATE wp_users SET user_login = 'your_new_login' WHERE user_login = 'admin';

Where your_new_login is the new name of your user.

You can also verify the new change in the tables by checking the tables in the WordPress database.

You can try these plugins to do the job Admin renamer extended, Username Changer, WPVN – Username Changer.

Use a Strong Password

Make sure your password has – upper and lowercase characters, special symbol and numbers. If you use Cpanel Installers like Fantastico or Softaculous then the password for the setup is selected by the respective installer. In order to have better security, you should change the default password given by any such installer. Use LastPass password generator tool for creating strong and safe passwords for your WordPress installation. If you can’t remember long password then Lastpass is very handy for remembering such passwords.

Worth Mentioning

  • Secure Password Generator – generates a unique set of custom, high quality, cryptographic-strength password strings which are safe for you to use.
  • SuperGenPass – A master password and the domain name of the Web site you are visiting is used as the “seed” for a one-way hash algorithm (base-64 MD5). The output of this algorithm is your generated password. You remember one password (your “master password”), and SGP uses it to generate unique, complex passwords for the Web sites you visit. Your generated passwords are never stored or transmitted, so you can use SGP on as many computers as you like without having to “sync” anything.
  • Password Safe – Whether the answer is one or hundreds, Password Safe allows you to safely and easily create a secured and encrypted user name/password list. With Password Safe, all you have to do is create and remember a single “Master Password” of your choice in order to unlock and access your entire user name/password list.

Related Information

Secure the Dashboard

Login Dashboard login page is the place where hackers are likely to attack the most of the times. You can protect the dashboard login page in many ways. You can also customize the dashboard so that hackers don’t use bots to gain access. You can do that by following some of the options like –

  • Changing the login page URL from /wp-admin/ to some other custom name.
  • Limit login attempts with plugins like – simple login lockdown.
  • Use two-factor authentication for additional security to the dashboard.
  • Use e-mail ID instead of the username for logging into the dashboard.
  • Use reCaptcha on the login page.
  • Use invite codes and give them to trusted people to filter any spam bot signups.
  • Add Password Authentication to wp-admin folder

Protecting the folder is much better option to protect your data. The folder “wp-admin” is very important and can be protected by using directory level password authentication. You can use Cpanel or similar other hosting control panels to set the folder password.

Some of the hosts also offer file manager within the browser, which you can use to set the folder permission and set password. Most of the hosting services offer Cpanel or Zpanel which has features related to the security to files and folders. If you’re unsure how to perform this task, I suggest hiring a programmer to do this for you.

Use a .htaccess file in the ‘wp-admin’ directory to limit access to only certain IP addresses. Add the following code in your .htaccess to protect the directory and allow access from certain IP address.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from xxx.xxx.xxx.xxx
# whitelist work IP address
allow from xxy.xxy.xxy.xxy


Change the default table prefix in the WordPress database

By default, WordPress installation script makes use of a predefined table prefix. The default prefix is “wp_”. Changing the table prefix can help avoid some of the common database-related security issues. Softaculous and Cpanel hosting control panel allow you to modify the MySQL or Postgre DB from the browser.

If your installation script finished with the default prefix then you have to manually make changes to the wp-config.php and change the prefix to the custom name.

Once you change the prefix to some other custom name, make the changes in wp-config.php. Edit wp-config.php which is found in your WordPress root directory.

Find the line that reads:

$table_prefix = ‘wp_’;

Change it to:

$table_prefix = ‘newName_’;

Where “newName_” is the new name that you want it to be with the underscore in place. Likewise, you have to rename the other tables with “wp_” prefix and replace them with a new name.

In order to do this, you have to log in to PHPMyAdmin dashboard on your hosting control panel. If you have any other database than MySQL then you have to access respective database administration panel for renaming the tables in WordPress database.

Some of the security plugins allow you to modify the WordPress database prefix even after the installation. You can choose to use that option if you’re unsure how to edit wp-config and changing the prefix in PHPMyAdmin. I suggest this option to anyone who has no idea about modifying PHP files or working with the database.

Move your wp-config.php file

The default location for the wp-config.php often gets targeted by the hackers for the SQL injection attack. You can change the default location of the wp-config.php file to other folders in WordPress directory. WordPress installation will search for this file automatically if it doesn’t find the file in the root folder and will resume the necessary tasks. From WordPress 2.6 onwards you can easily move the location of the wp-config.php file.

Remove Sensitive Information from wp-config.php

Create a new ‘config.php’ file

Create a new file called ‘config.php’.  The file should be created in a non-WWW accessible directory.

For example, if your blog or website content is in /home/youruser/public_html/, then create the file config.php in /home/youruser/ so the file cannot be reached by any of your visitors. Typically this should be a directory before public_html or www directory.

Open the existing WordPress wp-config.php file and move the lines which contain the database connection details, the database prefix and also the WordPress security keys from the wp-config.php file to the new config.php file as shown in the below example.
Add <?php at the beginning of the new config.php file and ?> at the end of the file.

define('DB_NAME', 'Your_DB'); // name of database
define('DB_USER', 'DB_User'); // MySQL user
define('DB_PASSWORD', 'DB_pass'); // and password
define('DB_HOST', 'localhost'); // MySQL host

// The WordPress Security Keys

define('AUTH_KEY',         'Your_key_here');
define('SECURE_AUTH_KEY',  'Your_key_here');
define('LOGGED_IN_KEY',    'Your_key_here');
define('NONCE_KEY',        'Your_key_here');
define('AUTH_SALT',        'Your_key_here');
define('SECURE_AUTH_SALT', 'Your_key_here');
define('LOGGED_IN_SALT',   'Your_key_here');
define('NONCE_SALT',       'Your_key_here');

// The WordPress database table prefix
$table_prefix  = 'wp_'; // only numbers, letters and underscore
Modify wp-config.php file

After removing all the sensitive data from the wp-config.php file, simply add the following line straight after <?php in the wp-config.php file; include(‘/home/yourname/config.php’);. So the first two lines of your wp-config.php should look like this;


Now instead of having all the sensitive information stored in your wp-config.php file, the wp-config.php file is reading such information from a different location. Please note that the include path (i.e. /home/yourname/) varies from one web server or web hosting provider to the other.

When you do that nobody except the person who has the FTP or SSH access will be able to find this file.

You can disable the access to the folder in which wp-config.php resides by creating the .htaccess file and then adding the following code in it.

<files wp-config.php>
order allow,deny
deny from all

Change Default Secret Keys

WordPress has a secret keys system, which is basically a hashing salt that is used against your password to increase its strength. These keys are located in the wp-config.php file.

define('AUTH_KEY', '');
define('SECURE_AUTH_KEY', '');
define('LOGGED_IN_KEY', '');
define('NONCE_KEY', '');

The default keys can be replaced with the newly updated keys from the WordPress.org site. Point your browser to https://api.wordpress.org/secret-key/1.1

Copy the keys from this page and paste it on your WordPress setup.

Disable HTTP Trace Method

WordPress installations often get attacked by Cross Site Tracing (XST) and Cross Site Scripting (XSS) which together exploits systems which have HTTP TRACE functionality. The HTTP Trace feature is used by the web hosts for debugging purpose. Attacks that involve XST will usually steal the cookie and other sensitive server information via header requests.

You can disable HTTP trace by adding following code to your .htaccess file:

RewriteEngine On
RewriteRule .* - [F]

Secure File Permissions

All WordPress Core Files should have 0644 Default Permissions. This means the files are writeable by user account. Default WordPress Folder Permissions are 0755, that means the file is writeable only by the user and readable by web server and everyone else. If your web host has Cpanel as a control panel, you can use the file manager to change the permissions of the files and folder in your WordPress directories.

Disable File Editing

You can edit WordPress theme files from the Dashboard editor. This can be problematic once your dashboard gets hacked. Anyone can inject malicious code into theme files. In order to avoid this, you have to disable the file editing feature.

You can do this by editing the wp-config.php file and changing the following the line. Set the value to ‘true’ if it is set to ‘false’. define(‘DISALLOW_FILE_EDIT’, true);

Protect install.php

There are two ways you can protect the install.php. The first method is to remove the file completely and in second method you have to restrict the access by modifying the .htaccess.

<Files install.php>
Order Allow, Deny
Deny from all
Satisfy all

Protect Sensitive Files by Type

You need to protect some of the files in the WordPress Core.

You can use following code in .htaccess to protect these files in PHP format.

<Files "\.(htaccess|ini|php)$">
Order Deny, Allow
Deny from all
Allow from xxx.xxx.xxx

Deny Comments via Proxy Server

If you want to avoid the comments from a proxy server, you have to deny the proxy server access for your website. This may not be a good idea all the time because many genuine users access the internet bypassing the workplace firewall.

In any case, if you want to restrict the access to comments, use the following code in your .htaccess file.

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

Deny Harmful Query Strings

Add the following code in your .htacces file to help prevent XSS attacks.

RewriteCond %{QUERY_STRING} ../ [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag= [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} http: [NC,OR]
RewriteCond %{QUERY_STRING} https: [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} .([|]|(|)|<|>|'|"|;|?|).* [NC,OR]
RewriteCond %{QUERY_STRING} .(%22|%27|%3C|%3E|%5C|%7B|%7C). [NC,OR] RewriteCond %{QUERY_STRING} .(%0|%A|%B|%C|%D|%E|%F|127.0). [NC,OR] RewriteCond %{QUERY_STRING} .(globals|encode|config|localhost|loopback). [NC,OR] RewriteCond %{QUERY_STRING} .(request|select|insert|union|declare|drop). [NC] RewriteRule .*$ - [F,L]

Disable Folder Browsing

Keeping your WordPress directories accessible to the anonymous users, in turn, help hackers collect information about the plugins and WordPress setup. This can be prevented by disabling the folder browsing on your server.

There are two ways to disable folder browsing.

  • You can create index.html in each folder of your WordPress setup. This way users can’t view the rest of the folders in the hierarchy.
  • If you use Linux server, then you can type the following code in your root folders .htaccess file.

Options -Indexes
In a case of Windows server, you need to upload the index.html in every directory of WordPress directory.

Hide PHP Disclosure Information

By default, PHP installation discloses the version information via HTTP headers. e.g. “Powered by: PHP/version”. This is a big security risk because if your PHP version is old, hackers can use this to their advantage and run security attack.

You can turn this feature off by modifying the php.ini file. expose_php = Off

Another security hack that can be done on php.ini is disabling the errors on your server. e.g. When you have any issues with the WordPress setup, it shows the specific error on a page, including the internal directory path.

This can be disabled by modifying the following line in PHP.ini file. display_errors = Off
Once you apply these two fixes, you can verify if you still see HTTP header and the PHP error page to make sure the information is not there anymore.

Use Suhosin for PHP

Hardening on Your Server Suhosin is an advanced protection system for PHP installations and helps keep the web server safe from common PHP vulnerabilities. Most of the modern web servers have Suhosin installed, in case if your server has no Suhosin, you may need to get in touch with web administrator to install it for you.

Delete Unused Plugins and Themes

Remove the unused plugins and themes from the setup. If you’re not planning to use them anytime soon, it is better to get rid of them. If you don’t want to delete them, at least keep them updated. Keeping the unused plugins and themes just increase load on your security checklist. If any of such plugin has security flaws, it also affects your setup even if you are not using it on the website.

Disable User Registration

Most of the WordPress setups are operated by a single user. Unless you are using multi-user WordPress setup, you don’t need the registration feature in the WordPress. You can always create the users manually inside the WordPress dashboard and let the authors log in. Make sure “Anyone can register” option is unchecked in Settings – General page.

Add SSL To The Login Page

Web hosting services offer SSL certificates at price of 3$ per year. You can enforce SSL on your dashboard login page, in turn making the login credential secure over the line.

Once you purchase and point the SSL certificate to the login URL, use the following code inside wp-config.php to enforce SSL. define

('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

Who should purchase SSL certificate? If you are a typical blogger, SSL certificate may not be much use to you. Though it is cheap to use SSL certificate for your domain but unless you’re dealing with sensitive data and financial budget, it may or may not be suitable for you to use SSL certificate.

Stop Search engines from Browsing Directories (Optional)

Add the following code in your robots.txt from searching and indexing WordPress directories.

User-agent: *

Disallwo: /cgi-bin/
Disallow: /trackback/
Disallow: /wp-admin/
Disallow: /xmlrpc.php
Disallow: /wp-login.php
Allow: /wp-admin/admin-ajax.php
Sitemap: http://yourdomain.com/sitemap.xml

Enable Logging And Archiving For Apache

Apache Logging can help you understand how the intrusion happened in WordPress Setup and point to the security flaw in Plugin or Theme. You have to enable logging and archiving of the Apache web server access logs. If your web host has Cpanel as control panel then you can enable this feature by following these steps. Check the Logs group. Click on Raw Access Logs icon. Select “Archive logs in your home directory”.

If you are on Windows hosting server, you have to write a support ticket and let the server administration support team sort this out for you.

Secure PHP Installation

Set the following attributes in php.ini to Off. Each of the disabled function helps keep your WordPress setup secure.

register_globals = Off
allow_url_fopen = Off
short_open_tag = Off
display_errors = Off
display_startup_errors = Off
log_errors = On
magic_quotes_gpc = Off
magic_quotes_sybase = Off

Set the register_globals to OFF so that you can stop the hackers from modifying the variables in PHP. Setting allow_url_fopen to Off will stop users from including and executing code from other websites in the PHP code. Set short_open_tag to OFF will make PHP code interpretation more strict.

Setting display_errors and display_startup_errors to OFF will prevent the users from reading the path of the themes and plugins if they throw any errors. And Setting log_errors to ON will enable error logging which helps during cases of a malware attack or intrusion attack. The magic_quotes_gpc and magic_quotes_sybase are set to OFF so that content with quotes is filtered properly and quotes are not being used for the attack.

If enabling any of these features in PHP.ini reduces the ability of WordPress setup for your work. You can turn each such feature off respectively. You don’t have to sacrifice any feature at the expense of hardening which may sometimes be handled in another way more effectively. You can also kill the execution of PHP in certain folders.

However, I don’t recommend this method because sometimes the plugins and folder cease to work.

If you want to stop PHP file execution in certain folders, just create a .htaccess file and add the following code into it.

# Secure [Directory Name]
<Files *.php>
Order Allow, Deny
Deny from all

Usually, you can use this code in the .htaccess file that can be placed in /uploads and /wp-includes directory. However, I suggest testing the files on a local server before deploying this hack on the live website.

WordPress Security Plugins

Free or Premium Plugin

It is not easy to select the type of the plugin suitable for your setup. Some of the premium plugins are suitable if your WordPress data is critical for your business. If you run a hobby blog or non-commercial blog, you don’t have to invest into a premium plugin. Keep in mind, the more important data that is being handled by WordPress, the harder your security setup should be.

How Many Plugins?

I have listed plenty of plugins for you to choose from and to install on your dashboard. However, you don’t have to install a lot of plugins. For example, If you are the only person to log into your WordPress dashboard, you don’t need many login security plugins. You can use the plugins that get you minimal security without having to reduce the performance of your WordPress setup. Do note that some of the hosts do not allow certain WordPress plugins.

So always consult with your hosting service before attempting to use any plugin that modifies your WordPress setup. e.g. Wpengine and Zippykid hosting services have their own guidelines on which type of plugin you can use for cache and security.

How to Choose a Plugin?

In order to choose a right plugin for your WordPress setup, use the following checklist.

✔ Check for the number of downloads. Select the higher downloaded plugin.
✔ Check how many issues are reported in plugins forum in WordPress.org site.
✔ Check the plugin authors activity in the Forum.
✔ Check the number of updates of the plugin. Ignore the star rating of the plugin.
✔ Check how the plugin makes use of unique namespace items.
✔ Check how the plugin makes use of settings API in the features.
✔ Check the Hooks, Filters, and Actions inside the plugins.
✔ Check if the plugin has properly sanitized data and MySQL statements.
✔ Choose the plugin that does one task really well.
✔ Check the plugins that use nonces instead of browser cookies. If the more than one plugin does the same task, choose the plugin with higher download count and reviews.
✔ Check the reputation of the plugin author in the WordPress community.

These are the criteria to look at while selecting the security plugin from the wordpress.org repository. If you choose to install the premium version of the plugins then you have to search online for the reviews. Also, test drives their free plugin or trial service before you buy the plugin.

Essential WordPress Security Plugins

Installing some of the essential plugins can ensure safety to your WordPress setup. Here are some of the plugins that I have personally used on many WordPress sites.

  1. Login Lockdown
  2. Shield Security
  3. Block Bad Queries
  4. WordPress File Monitor
  5. WP Security Scan
  6. Wordfence
  7. Sucuri Security
  8. Antivirus
  9. Wp Security & Firewall

WP Security

Wordpress Security Guide - image  on https://trunk.lyThis plugin can help you run some basic security checks on your WordPress setup. You get to make few fixes from your plugin options page. You can install this plugin, run the scan and fix the minimal security issues. Once cleared the basic security fixes, you can uninstall the plugin.

The WP Security scan plugin does following changes to make your WordPress installation more secure –

  • Change the prefix wp_ to a new custom name of your choice.
  • Hide the WordPress version
  • Set .htaccess in Wp-admin folder.
  • Remove default admin user
  • Remove WP ID meta tag.
  • Turn off database reporting errors.
  • Update notification to WordPress update.

Sucuri WordPress Security PluginWordpress Security Guide - image  on https://trunk.ly

Sucuri plugin improves the WordPress security by adding –

  • A Web Application Firewall
  • Integrity Monitoring
  • Audit Logging and Activity Reporting
  • 1-click Hardening
  • Server Side Scanning

This is a premium plugin and contains feature like 1-click hardening, which is not usually given by most of the free plugins in the WordPress directory.

Wordfence PluginWordpress Security Guide - image  on https://trunk.ly

The plugin is available in free and premium version. If you install the free version, it lets you –

  • Verify the integrity of the WordPress core, themes, and plugins.
  • Keep WordPress updated and notify new updates.
  • Scan your WordPress installation for malware, backdoor scripts, and phishing.

The premium version of the plugin offers scheduling scans, IP blocking, and remote security scans.

Shield SecurityWordpress Security Guide - image  on https://trunk.ly

WordPress Firewall avoids SQL injection attacks, brute force attacks, and Spambot registration attacks. It also notifies you via email when any live attack happens on your site. If you don’t like email notifications, you can disable it. It also comes with one handy feature which allows you to block the IP that regularly attempts to attack your WordPress setup. You can also blacklist certain IP address for additional protection. If you want some of the IP address in a whitelist, the plugin has an option that lets you do that.

Block Bad QueriesWordpress Security Guide - image  on https://trunk.ly

Block bad queries plugin is designed to monitor the request URI in the WordPress dashboard. This way it can filter out some of the common attacks. This plugin checks for excessively long request strings (i.e., greater than 255 characters), as well as the presence of either “eval(” or “base64” in the request URI. Block bad queries does a completely different job to that of WordPress firewall 2. So it is necessary to have this plugin installed with WordPress Firewall 2.

WordPress File MonitorWordpress Security Guide - image  on https://trunk.ly

This plugin keeps track of every change in the WordPress installation. It keeps log of the changes in the files of WordPress directories. It notifies you of the changes that take place in the files. If any hacker gets access to your themes and plugins and rewrites new information on any of the file, you’ll get the notification of the changes. This plugin is handy to understand which file to rollback in the previous state. You can use the backed-up files to restore the unaffected file in that place. In order to do this, you need to have a different backup plugin or manual backup on regular basis.

AskApache Password Protect (Inactive)

The ‘AskApache Password Protect’ plugin adds good password protection to your WordPress Blog. This plugin should be used if you don’t have a static IP and if you can’t use directory protection for your IP address.

Limit Login AttemptsWordpress Security Guide - image  on https://trunk.ly

Install the plugin and set the number of attempts on plugins options page. You can also set the number of minutes to keep the lock on a login page. It also keeps the log of a number of attempts and number of times the lock was set.

Login Security Solution

It keeps track of some failed login attempts and slows down the response times. This, in turn, reduces the brute force attacks on the login page.

WP Login Security 2 (Inactive)

This plugin keeps track of the IP address used by the administrators and then if the administrator tries to log in from unknown location, the plugin sends the activation link in order to validate the login from a genuine administrator with the help of email.

AntivirusWordpress Security Guide - image  on https://trunk.ly

Antivirus plugin helps your WordPress setup by scanning the files for malware and virus. This plugin detects every single change in file and reports in the dashboard. It does raise the false positives sometimes when it triggers the change in require_once, includes and other updated snippets which are genuine yet reported as malicious code. If any theme uses eval, base64_decode or shell_exec then It’ll notify in the report. You can then replace such themes with those which has a more secure code.

Cloudflare for SecurityWordpress Security Guide - image  on https://trunk.ly

Cloudflare offers CDN service which automatically blocks the common threats. It filters all the incoming traffic to your site and protects you from comment Spam, excessive bot crawling, malicious attacks like SQL injection and denial of service (DOS) attacks and more. Other than security, It also caches your static content and serves them to the repeat visitors. They offer a free plan for the CDN and Security, so you can take advantage of their service before opting for the premium plans. Some of the plugins notifies for scan once every month. You should run the security scan every week depending on your website traffic. If you can’t afford premium plugin for backup, you can install free plugins that can do the job for you.

WordPress Database BackupWordpress Security Guide - image  on https://trunk.ly

You can save a lot of headache of recovering your site if you take regular backup. You can schedule some of the plugins to automatically backup your site when you post or certain times during the week. When it comes to WordPress backup there are plenty of solutions. Here we are going to discuss three methods – plugins, hosted backup services and manual backups.

WordPress Backup Plugins – These plugins can help you take backup your WordPress posts, comments, and other settings and store it wherever you wish. Some of them offer the feature of emailing your backup or uploading it to a remote server like Amazon S3, Dropbox or any other backup service.

Hosted Backup Service – These services integrates with the WordPress setup and take a regular snapshot of the WordPress setup. They are basically plugins that are connected to the backup server. Services like VaultPress, CodeGuard and Blogvault offer such service.

Manual Backup – In this method, you have to take backup of the setup and keep it safe on your own. You have to store the backed up data to any other place than the hosting server. There are free and paid backup plugins available for the WordPress. You can choose one that fits your needs.

Most of the free plugins that upload the data to dropbox or send data via email are preferred by the WordPress community members. If your WordPress data is critical then subscribing to the service like Vaultpress or Codevault is much better option. You can also use premium plugins like backupbuddy or backupify to backup your data. The more important your data, the better to get your backup to hosted solution.

Here are some of the backup plugins that can solve your backup and monitoring requirements.

WP-DB Manager

This free plugin is very handy to optimize your database. It also sends the backup via email to the admin or the specific user. The plugin is not easy to use as there is no specific point for the newbie to learn from and use. However, if you are comfortable with WordPress and it’s various plugin configuration then it is not hard to use the plugin.


This is another free plugin that does the – scheduling, upload to Google drive, email notification on errors and selective backup. There are bugs in the plugin once in a while but gets the job done.


This is a free plugin that is very handy for uploading your database backup to external services like dropbox, amazon s3, Google drive and few other backup services. Restore option for a fresh install is included in the plugin. It doesn’t have active support in the forums but for the free plugin it gets the job done and doesn’t have critical bugs.


This plugin is very popular for backing up the database. It is very simple to use this plugin. It does only one task – which is backing up the core database. You don’t get to choose the backup location. You can’t backup posts and other files. There isn’t much support provided for this plugin. But considering the ease of use and quick backup of the database, this plugin is perfect for newbies who can’t use other advanced plugins.

Hosted Backup Services

Hosted backup services are recommended for those who can’t afford to lose their WordPress data. There are many hosted solutions in the market, but very few are preferred because of after-sales support.


This is the service from the Automatic Inc. makers of WordPress. They have integrated the hands-free option for taking backup and restoring it. You just have to integrate this service with your WordPress setup. You can schedule regular backups and also keep it on their servers. If you can afford the budget for hosted solution then VaultPress is the first service to consider for backup.


This is managed backup service that takes care of the hassle of database backup for you. The plugin integrates with your WordPress setup, and you get to choose the backup, scheduling and restoration options. They take care of things, so you don’t have to. It is web based service and has very easy to use interface.


They had free and paid a subscription for the backup and management. You have to upgrade to premium service if you are using more than five websites in their system. This service also makes use of hands-free approach for the database backup.


Codegurad has monthly and annual subscriptions for the data backup. They take the backup on their cloud service. And allows you the access to the timed snapshots from which you can restore the backup to your fresh installation.

Manual Backup

If you can’t afford any other method of the backup service, you can backup your data manually to Google drive, dropbox or local computer. In this method, you can use any of the database backup plugins to download the archive that is generated by the plugin. Alternatively, you can also backup the data from /uploads folder for backing up images and other media files. Posts and comments along with core settings can be downloaded by following these instructions.

Click on Tools then go to the export page. In this page, you have to select all the posts and pages and click the export button. You get WXRS file that contains the data from the WordPress core. This is basically an XML file that has the structured data which you can use to restore your posts. If you can’t afford premium plugins or service for the backup. You can use free plugins that can store the backup on Dropbox or Google Drive. These two backup services can host your blog backups for free. If by any remote chance if your backup exceeds the data limit of these services, you can then go ahead and purchase the yearly subscription for storage.

Dedicated WordPress Hosting

There are some of the dedicated WordPress hosts which offer custom installs with better performance than your average shared hosting. The first thing they offer is the simplicity of installation. You just have to add your domain name and click few buttons to get inside the dashboard of your new WordPress install. They have suggestions and limits for the type of plugins that you can use. So they pretty much make sure that your website has less downtime from the security front. These web hosts are optimized for better performance of WordPress Install. They are not your typical cheap shared hosts. So expect to spend some bucks if you want to migrate your websites to their infrastructure.

Here are some of the dedicated WordPress Hosts worth checking out –

  1. Siteground
  2. WPEngine
  3. Synthesis
  4. Pressable
  5. Page.ly

There are many other web hosts that offer managed WordPress hosting service. Make sure you read the testimonials from other customers and discuss which plugins can be used on the hosting service before your purchase their hosting plan. If you are searching for such dedicated hosts for WordPress hosting.

I suggest first collecting the reviews and then choose which hosts meet your requirement. Ask all the questions you have about the hosting service related to performance and security. Compare the answers of all the hosts and then choose which is perfect for your budget and requirements.

Managed or dedicated hosting services are only good if you are serious about caching, performance and security for your website.

Identify and Fix a Hacked WordPress Website

Your website is hacked, and you don’t know what to do next. Here are some of the things that I think you should do.

  • Take the WordPress into the maintenance mode.
  • You can then export the post data from Tools > Export. Keep that backup on your desktop. Scan and manually check that XML file for any injected code.
  • Notify your web host about this incident. Check the security logs on your web hosting account for the record of intrusion.
  • Change the passwords of your hosting control panel, FTP, domain name and email ID associated with these accounts.
  • Change the passwords in wp-config and also change the authentication keys with new set of keys.
  • Remove the old themes and plugins from the setup.
  • If there are too many fixes to the WordPress code, install fresh WordPress setup.
  • Check the file permissions on the web server. Make sure that none of them are set to 777. Use sucuri or exploit scanner to check the files on the web server.
  • Make sure other sites in the hosting account are not affected by doing a security audit of those accounts.
  • Check for the malicious files in the hosting account.
  • Do fresh install if you find any security issues with WordPress.

Wordpress Security Guide - image  on https://trunk.lyAsk for Help

You may be expert WordPress user but there are many things that you can’t do from your end unless you know what and how to fix. In such case, it is better to ask for help from the hosting support team or the expert who knows how to fix things.

When you contact them for the fixing WordPress issues, be prepared to offer them following things –

  • Keep your backup and download it to your local drive before you give access to your hosting account.
  • Keep your server logs backup.
  • Explain your problem to them.
  • Point out the issue with the help of screenshot or URL if possible. Ask them to explain to you what was the problem once they finish their fixes.

You can always ask for help in official WordPress forums.

There are also many WordPress security professionals who can help you for fixed fees.

Security Checklist

Use this checklist to fix and maintain your WordPress website. Keep your website safe and secure, by prioritizing the tasks.

WordPres Security Setup Checklist

  • Keep your WordPress setup secure by executing these tasks.
  • Install WordPress Backup Plugins.
  • Install login security plugin.
  • Install Security scan plugin.
  • Remove unused themes and plugins.
  • Perform basic WordPress setup hardening.
  • Schedule automated website backups.

WordPress Security Maintenance Checklist

Once you set up the security measures for your WordPress site, don’t forget to maintain it regularly.

  • Perform security hardening with php.ini and .htaccess.
  • Schedule backups. Remove unnecessary security plugins.
  • Remove unused plugins and themes.
  • Search for bad files in the server logs.
  • Check server logs for intrusion attacks.
  • Check the security issues with updated version of plugins.
  • Check the issues with WordPress update.
  • Take a backup of MySQL, WordPress files, and other media files.

Website Information Checklist

Make sure you have this information stored securely. If you have more than one website, then make sure you keep all this data in spreadsheet hosted in some encrypted drive or online service.

  • WordPress Logins
  • Domain Registrar Login
  • Hosting Account Login
  • Email Logins & Settings
  • FTP Login Information
  • Google Accounts
  • Backup service login

Here are some of the resources that you should keep a tab on for more information on WordPress security.