The WordPress Security Guide
Security is a very important, but often overlooked aspect of blogging.
There are many tools and plugins that can be integrated into your WordPress blog that
can help harden and secure it from hackers and spammers.
This guide on WordPress security will hopefully add an extra layer or two in helping to
secure your online asset – your blog.
Latest WordPress Version
WordPress is an open source publishing platform, which means its source code is freely
available for anyone to see, use, modify.. or exploit.
Often developers of worms and viruses take advantage of the older, more vulnerable
WordPress versions as they are more susceptible to these kinds of malicious activity.
Every new WordPress release improves on its predecessor both in terms of functionality
and security, so it is very important that your blog is running on the latest version of
Backing up WordPress
Backup early.. backup often! It is as simple as that.
When did you last backup your blog?
How much would you lose if your web host’s hard drives permanently failed right now,
and your blog was gone with it? Or you installed a new plugin or upgraded an existing
one, which caused major conflicts resulting in data loss?
You get the picture.. your website is only as safe as its last backup.
I backup a fair bit and have made a habit out of it. It has certainly been a lifesaver on
those rare occasions when I have needed to do a restore.
I personally do a full backup of my blog and database after every post I publish.. as well
as any progress I make on a draft post I am working on.
I will also do a full site and database backup prior to installing a new plugin.. or even
upgrading an existing plugin. That way if there are any conflicts I can always revert.
I recommend creating a backup folder on your hard drive, and underneath that creating a
folder with the current WordPress version.. and just put your backups in each of these
folders. Everytime a new WordPress release comes out, just add a new versioned folder
and continue doing the same.
They don’t take up that much space and in time you can always do a cleanup and delete
some of the older backups you have got.
Here is an example of how my backup folders are setup,
I think it is a good idea as well to take screenshots of any customised settings you have
made to your blog such as your Permalink Settings,
I also take screenshots of all my active plugins as well as their version numbers.
This can come in handy if you need to restore your blog, you can easily identify the
version of the plugin needed for the restore.. as a newer plugin version may not be
Taking screenshots of various plugin settings can also be very helpful if you’ve needed to
delete a plugin and reinstall it,
Likewise with your backups, just create a plugins screenshots folder and put all your
As I already do regular full backups.. I tend to update my screenshots every month or so.
Exporting your Content
Exporting your WordPress data (posts, pages, comments, custom fields, categories, and
tags) is sometimes necessary and useful. If you are moving to a new host or just want a
backup of your blog, then exporting your blog is the answer.
In the Tools section click on Export,
If you select All Authors from the drop-down menu this will export all the posts, from all
authors on your blog.
If your blog has more than one author, you can restrict the exports to a certain author,
by selecting that particular person.
Next click on <Download export file>,
Click on <OK> to save the exported file,
As before, just put this exported file in your backups folder.
The wp-config.php file is the key to the WordPress database. It is where you set the
database name, username, password and location. So it is a good idea to back this up as
Using your FTP client copy this file to your backup folder,
See also the Securing WP-Config.php section below
Changing the Default Admin User
When you started your blog right at the beginning, WordPress by default names the
administrator account “admin“.
A lot of bloggers don’t bother to change this and just choose and strong password. It is a
very good idea to change the admin account this to something different.
Hackers who want to gain access to your blog often employ brute-force attacks by using
automated tools to guess passwords, by cycling through different combinations of
letters, numbers and characters.. and if you leave this administrator account as admin,
then they are 50% closer to gaining access.
To change this login to your WordPress blog as normal.
Under the Users section, click on Add New,
Fill out the details for adding a new user.
Make sure you choose a hard to guess username by using letters and numbers, and that
it’s not similar to the one you publicly display on your blog . For example, the word
“wordpress” could be turned into “wOrdpr3ss”.
I recommend choosing a really hard and long password as well.
If you are thinking ‘not another password to remember‘, then you should checkout my
post LastPass Guide to Online Password Management which shows you how to manage
all your online passwords and usernames by remembering only one master password.
You can generate very strong random passwords with LastPass.
Also, make sure you select Administrator from the Role drop-down menu.. and when you
are done click on <Add User>,
This new user has just been created.
Just double-check that the Nickname isn’t the same as the secret username you have just
created. If it is change it,
Now logout of WordPress.
Log back in using your new username and password.
Under Users, click on Authors & Users,
You will see both users – admin and your newly created user.
Delete the admin user by clicking on Delete,
You now want to transfer all the posts that were authored using the admin account to
your new account.
Select Attribute all posts and links to your new username.. then click <Confirm Deletion>,
Your new username is setup and the old default admin account has been deleted. And all
posts and links have been transferred across to your new username.
According to the official Hardening WordPress Codex, you can move the wp-config.php
file to the directory above your WordPress install.
This means for a site installed in the root of your webspace, you can store wp-config.php
outside the web-root folder.
Note that wp-config.php can be stored ONE directory level above the WordPress (where
wp-includes resides) installation.
Preventing Directory Listing
In many cases, the default WordPress installation allows hackers to use their web
browser as a file browser to look through the contents of the folders on your server.
Often plugin and theme developers make mistakes in their code that allow unexpected
access. This means that hackers can browse through your directories to potentially look
for vulnerable files and attack your site.
There are a couple ways you can prevent directory listing.
Hiding Your Plugins
Type your blog’s URL into the address bar, followed by /wp-content/plugins/,
If a list of your plugins are displayed.. then you need to fix this asap,
If your plugins are visible by the people snooping around, then they could potentially
exploit a known weakness in one of the plugins.
To prevent this, create either a blank index.html file or a blank index.php file, and upload
it to the /wp-content/plugins/ directory.
Refresh the page and if you see either a blank page or a 404 (file not found) page then
you are a lot safer than you were before.
Hiding Your Theme’s Files
Now type your blog’s URL into the address bar, followed by /wp-content/themes/,
Just like above, if your themes are visible, then you need to hide them by creating either
a blank index.html file or a blank index.php file, and upload it to the /wp-content/themes/
Refresh the page and if you see either a blank page or a 404 (file not found) page then
you can be assured that these folders are hidden from public view.
Editing Your .htaccess File to Prevent Directory Listing
The method I’ve just described by uploading a blank file into a directory doesn’t solve the
problem of preventing directory listings of sub-folders (beneath).. not to mention all
It is just too cumbersome uploading a blank index.php file into every folder on your
The recommended way to prevent directory listing of all folders is it to edit your .htaccess
file (in your WordPress root directory “/”), and insert the following at the bottom of the
# Prevents directory listing
To do this login to your webserver.. if you are using cPanel or an FTP client, make sure
that you have Force showing hidden files enabled (so you can actually see the .htaccess
Now navigate to WordPress’ root directory, find the .htaccess file and edit it,
Add the two lines of code at the bottom of the file.. when you are done click on <Save>
to save the changes,
This method now prevents directory listing of all your blogs directories.
Changing WordPress Database Prefix
By default all the tables in your WordPress database have a prefix of “wp_“.
It is advisable to change this as it will bring your blog’s security to a higher level. This
prefix can be changed to any combination of letters, numbers and underscores.
David Potter has done a nice guide on Changing the WordPress Table Prefix.
WordPress Security Plugins
There are plenty of WordPress security plugins available, so please check that the
plugin’s version is compatible with your WordPress version before installing!
Here is a list of some good plugins that help to harden your blog.
WP Security Scan
WP Security Scan is probably the most downloaded security plugin for WordPress.
It scans your WordPress installation for file/directory permissions security vulnerabilities
and suggests corrective actions,
WP Security Scan also scans for general security vulnerabilities and lets you know of
areas that can be further secured,
WP Security Scan also has a password tool and allows you to change database table
Plagiarism and content theft is a serious problem for bloggers.
Often people will copy and paste content from your blog and re-publish it themselves
without your permission and without referencing your work.
WP-CopyProtect is a simple plugin that allows you to,
Disable right-click on your blog
Disable text selection
It certainly isn’t an all encompassing solution. If someone really wants your content they
could always get it from your source code or RSS feed, but it does the trick in deterring
the average person trying to rip-off your posts.
I currently have text selection disabled on my blog and am quite happy with this plugin.
Secure WordPress helps to secure your WordPress installation and includes the
1. removes error-information on login-page
2. adds index.html to plugin-directory (virtual)
3. removes the wp-version, except in admin-area
4. removes Really Simple Discovery
5. removes Windows Live Writer
6. remove core update information for non-admins
7. remove plugin-update information for non-admins
8. remove theme-update information for non-admins (only WP 2.8 and higher)
9. Add string for use WP Scanner
WordPress scanner is a free online resource that blog administrators can use to provide a
measure of their wordpress security level and comes bundled with the Secure WordPress
plugin (see above).
To run wp-scanner add <!– wpscanner –> to your current WordPress template.. I added
mine in the header.php file, before the closing body tag,
Once this code has been added, head to WPSCAN and scan your blog,
When the scan is finished you will be given a summary of the state of your blog and any
security risks associated,
When you have finished don’t forget to go back and REMOVE <!–wpscanner–>,
otherwise others will be able to also scan your blog!
Login Lockdown records the IP address and timestamp of every failed WordPress login
If more than a certain number of attempts are detected within a short period of time
from the same IP range, then the login function is disabled for all requests from that
range. This helps to prevent brute force password discovery.
Lockdown times can be modified via the Options panel. Administrators can release
locked out IP ranges manually from the panel.
WP-DBManager is a plugin that manages your WordPress database.
It allows you to optimize database, repair database, backup database, restore database,
delete backup database , drop/empty tables and run selected queries.
It also allows you to schedule your backups and have them emailed to you,
I have configured mine so I get a scheduled email backup everyday,
This is quite a handy plugin as you can set it and forget it. That way you can be sure you
always have an up-to-date backup of your blog’s database.
WordPress Security Resources
Security Related Codex Articles
Changing File Permissions – WordPress Codex
Editing wp-config.php – WordPress Codex
Hardening WordPress – WordPress Codex
How to Keep WordPress Secure – WordPress Blog
htaccess for Subdirectories – WordPress Codex
50 Other WordPress Security Resources
1. 5 WordPress Security Essentials – LGR
2. 8 Security Tips and Guidelines for your WordPress Blog – Online Tech Tips
3. 9 Best WordPress Security Plugins – Quick Online Tips
4. 9 SEO Security Tips for Wordpress – Antezeta
5. 10 Steps To Protect The Admin Area In WordPress – Smashing Magazine
6. 10 WordPress Security Tips – Lost in Search
7. 12 Essential Security Tips and Hacks for WordPress – SixRevisions
8. 14 tips to wordpress practical security [How-to] – Ruhani Rabin
9. 15 Plugins to Boost up your Wordpress Security and a Special Tip! – Smart Bloggerz
10. 16 Excellent Wordpress Security Plugins To Secure Your Blog – TutZone
11. 18 Wordpress Security Plugins & Tips To Secure Your Blog – MakeUseOf
12. 20 Wordpress Security Plug-ins And Tips To keep Hackers Away – Simple Thoughts
13. 20+ Powerful Wordpress Security Plugins and Some Tips and Tricks – SpeckBoy
14. Advanced WordPress Security Tips – Website In a Weekend
15. Basic Wordpress Security Tips – Lyle Ham
16. Best practices against hacking – Google Webmaster Central Blog
17. Current Events: Lazy Admins and WordPress Security – Monday by Noon
18. Did your WordPress site get hacked? – Ocaoimh
19. Essential WordPress Security Tips – Is Your Blog Protected? – Tips and Tricks HQ
20. Establishing A Sense Of Security On Your Blog – Steven Saunders
21. How to secure WordPress – Siteground
22. Increasing your WordPress Security – PixelPipes
23. Interview with Deutsche Welle on WordPress Security – Mark on WordPress
24. Protect Your Blog With a Solid Password – The Blog Herald
25. Protecting the Wordpress wp-admin folder – Reuben Yau
26. Regarding WordPress and Security – Daring Fireball
27. Top 5 WordPress Security Tips You Most Likely Don’t Follow – WPTavern
28. Top 10 ways to stop spam in WordPress – Cats who Code
29. Top 21 Wordpress Security Plugins for Hacker-Proof Blog – Binary Head
30. Top Ten Wordpress Security Tips – Moonlight Blog
31. Triple “P” Of Total WordPress Security – HowToSpoter
32. WordPress Security – Nercomp (PDF download)
33. WordPress Security – WPSecurity
34. Wordpress Security Flaw: Reset Admin Password of Any Blog Without Confirmation! -
35. WordPress Security and How I’m Going to Take All Your Money – Technosailor
36. WordPress security: Hide login error messages – Blog Building
37. WordPress security plugins - Insane Security
38. WordPress Security Presentation – Brad Williams
39. WordPress Security Prevention, Reactions, and Scares - Lorelle on WordPress
40. WordPress Security Tip: Remove the Admin User - Daily Blogs Tips
41. WordPress Security Tips – Devshed
42. WordPress Security Tips – Sakin Blog
43. Wordpress Security Tips – Too Many Secrets
44. Wordpress Security Tips and Hacks – Noupe
45. WordPress Security Tips for non-geeks – YouAre
46. Wordpress Security Tips — For the untrained – TechLinkblog
47. Wordpress Security Tips How to Keep WordPress Secure – Deals n Discounts
48. Wordpress Security Tips How to Secure a Wordpress Installation – Suite 101
49. WordPress Security Whitepaper – Blogsecurity (PDF download)
50. Wordpress SEO: Wordpress Security Why it Matters to SEO – Wolf Howl
The Social Media Guide
The Social Media Guide provides helpful advice and tips on connecting you to others,
through the use of social media and social networks.
The Social Media Guide is an authoritative source on current and emerging social media
tools and platforms.
The current explosion in social media technologies has made it easier than ever to
connect with friends, groups, customers and networks with similar interests, from all
around the world.
Businesses can benefit greatly by using social media to market their product, strengthen
brand recognition and attract new customers.
My aim is to show you how social media can be used, to connect with more people
faster, by providing clear and simple solutions.
The Social Media Guide will show you how to extend your reach deeper into the social
web, and connect with more people.
This material may be shared with everyone, not sold for profit and not modified in any