Ken and Casey Dawes successfully migrated our website to WordPress and made it much easier for the less initiated to maintain and made it look exactly the same as the old site. Well done! Rev. Steve Ellis St. John Episcopal Church Rev. Steve Ellis St. John Episcopal Church

10 Steps to WordPress Security Protection

Scripted websites/ blogs using WordPress are becoming more and more common. And as such they are becoming ever more tempting targets for hackers and trashers. It might be something as simple as putting a picture on your site that goes “phhpttttt!!! I was here!” Or it might go so far as to taking over your site, denying you access to it and then holding your site for ransom. Malicious code can be placed on your site that might infect visitors’ computers and not the least of your worries, get you banned by the search engines.

Wordpress.org does a great job of eliminating potential entryways into the WordPress code with frequent updates. However, it is open-source code and is developed by hundreds if not thousands of people. (especially when you consider the myriad of themes and plugins available) Unfortunately, hackers work just as hard to find ways to exploit WordPress any way they can.

What can you do?

I have compiled a number of things that you can do proactively to help keep your WordpPress secure. Note: I said “help” keep your site secure. When it comes to websites and hackers, there is no guarantee that your site can’t be successfully attacked. But you can make your site unpalatable to attack and more secure.

Warning! The security measures below range from quick and easy to those demanding some “chops” in coding. It is possible to incorrectly implement some these steps and lock yourself out from your site with no way to correct your mistake. You could even damage your site yourself. I can take no responsibility for any problems you might have from applying these security measures.

That being said… we’ll start with the basic ones and get more complicated as we go on. Or you can have me install my Web Mechanic’s WordPress Security Package.


  1. Always use the latest version of WordPress. As I mentioned, software security is an ongoing struggle and WordPress.org does a great job of addressing the latest threats. If you have concerns about being a “first adopter” of new versions, wait a few days or a week before updating. Be aware that updating may cause problems with your plugins or themes. You should back-up your WordPress before updating. See wordpress.orgfor details.


  2. Don’t use a simple, easy password. Did you know that the most commonly used passwords are “password” and “1234567”? Is that you? As reported by PCmag.com here are the 10 Most Common Passwords.You should use a strong password that incorporates numbers, upper and lower case letters and “special” characters like ! ” ? $ % ^ & ) I know, I know, it’s going to be hard to remember. Write it down, have your browser memorize it… It’s better than giving carte blanche to your site! WordPress can generate a random strong password for you. In your Dashboard go to “Users” and select your account name (for most people it’s probably “admin”) and make sure that your email address is correct. Log out from WordPress and then instead of logging in again, click on “Lost Your Password?” Your WordPress will email a new, strong randomly generated password.


  3. Now that we have talked about your “admin” user account… Get rid of it!  Well, not totally. Add a new user with full administrator privileges.  Use a not totally obvious username and a strong password. Log out of WordPress and then login with your new username and password. Now you can go to the “Users” area and edit the “admin” user account. Most people leave the main username as “admin” … attackers know this!  Edit your “admin” user by changing its role from “administrator” to “subscriber”. Save the change. Now if a hacker tries to take over the standard “admin” account, they will have no privileges to change anything.
    Note!If you installed your WordPress site using Fantastico, you were probably already prompted to enter your own username and password during setup. Change your password to a strong one if you did not do so originally.


  4. In the Dashboard navigate to  Settings-General. Make sure that the “Membership-Anyone can register” checkbox is unchecked. Be sure that the “New User Default Role” is set to subscriber.


  5. This is a good time to add some login protection. Hackers will often try a brute force means of accessing your site by trying thousands of passwords in hopes of discovering the right one. The “Login Lockdown” plugin will, upon activation, deny login access for 60 minutes to anyone who tries 3 wrong passwords in 5 minutes. If you want to adjust these settings, you can modify them on the Login Lockdownconfiguration page.


  6. Here’s another plugin that can help keep the wolves at bay. It’s the WordPress Firewall 2 plugin. This plugin does a lot! It monitors your WordPress site for attacks, protects your plugins, and is a Swiss Army Knife of protection…  It is an updated version of the original Firewall plugin by SEOEgghead. You can read about its features at the original plugin homepage.


  7. Now this is where we start getting more geeky. In the root of your WordPress installation is a file called .htaccess. It can control a lot of things on your website. More than I can go into in this post. Anyway, you can add this following line into the .htaccess file using a text editor.
    [field name=prevent-dir-browse]

    Normally browsers can see into folders and report on and even access the files within. To prevent this random viewing website designers put an empty index.html file into each folder. WordPress has many, many folders – too many to make this practical. Making this addition to the .htaccess file denies folder will keep browsers (and people) out of folders where they have no need of access.


  8. In the WordPress root there is a file named wp-config.php, it’s quite an important file and you don’t want someone to “accidentally” gain access to it as it contains the username and password for your mySQL database connection. We can deny access to it by adding a few more lines to the same .htaccess file that we mentioned in #7.
    [field name=protect-wpconfig]


  9. This next tip I found is from Jeff Starr at the Perishable Press website.  Many recent attacks on WordPress have used very long request strings… Much longer than legitimate ones would be. The code below can be copied to make a php file that can be placed in your WP plugin folder. Further explanation may be found at his blog post “Protect WordPress Against Malicious URL Requests
    [field name=bad-query-code]

    UPDATE: Instead of copying and pasting the above to make your own plugin, Jeff has uploaded it as a downloadable plugin on WordPress.org – Block Bad Queries (BBQ) Plugin


  10. WordPress.org suggests replacing the “Secret Keys” in your wp-config.php file with your own secret ones. If you go to the WordPress Secret Key Generatora randomly set will be generated similar to these below (don’t use these.. they wouldn’t be very secret!)
    define('AUTH_KEY',        'N!3MZ9+>l-5)=K&+_j7mM+}ZK5UFvZQ E{=*Vzp0Eae+i^oXY]!)B@vFj?x;&y=c');
    define('SECURE_AUTH_KEY', 'OeX>dl;tuRc$w+ehD{2]k%k{3uhH|L|8DNQu[/Np8_&qz_ rp7v+z6YODdjz9%~s');
    define('LOGGED_IN_KEY',   'oOO1smvP?

    Just copy and then paste the secret keys over the ones in your wp-config.php file. Don’t worry about having to remember them, they are used by WordPress to encrypt information.

    UPDATE: I have found an easier way to do this with a downloadable plugin called the WordPress.org – Update Unique Keys Plugin. With this plugin you can periodically change and update your “Unique Keys” from within your WordPress Dashboard… Easy!


7 comments to 10 Steps to WordPress Security Protection

  • Solid wordpress security tips worth a retweet!

  • For #10, the Secret Keys, I have published a plugin to help update the wp-config.php file. It’s hosted on WordPress titled Update Unique Keys

  • ken

    Hi Brian,
    Great! Thanks! That makes it much more convenient for folks to update their Secret Keys.
    People should note that if they install some of the security plug-ins mentioned above they should be deactivated before activating “Update New Keys” as they will think that a modification to the wp-config.php is an attack. Be sure to reactivate your security plugins afterwards!


  • Morgan

    I just tried #8 and it blocked me from being able to browse my site. Is there a step I’m missing in there?

  • ken

    Sorry I hadn’t noticed your comment earlier, Morgan! I’m not sure, but I think my site was displaying the code incorrectly when you looked… I have it fixed now… Please try again!

  • Thanks for the great tips, I used several of them since I recently got hacked. I had some security in place but not enough apparently!

  • Thank you SO MUCH for tweeting me this article. It has been super helpful!!!

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>