10 Key Ways to Secure a Typical WordPress Installation


In over a decade, WordPress has evolved from a fledgling content management system to the most-used solution online. This notoriety, generally speaking, is good for the entire community and has led to the largest group of developers for any content management system currently available. The CMS changes, evolves, and becomes more advanced, largely due to its size, scope, and influence in online publishing.

But it is those very things that cause WordPress to be the regular target of malicious hacking attempts and invasions of privacy. Hackers have taken note of the CMS’ proliferation among independent websites and major media outlets alike, and they exploit a number of vulnerabilities that gain them access to the Dashboard and even the WordPress database itself.

Thankfully, WordPress users are not merely “sitting ducks” in an increasingly malicious online environment. There are a number of things that can be done to dramatically improve the security of a WordPress installation and thwart hackers’ attempts to take over a website’s content, database, and overall reliability.

1. Change the WordPress Database Prefix

By default, every WordPress installation places its tables into a MySQL database with the “wp_” prefix. This is generally done to make the it more intuitive, as WordPress is often abbreviated as “WP” and there is simply no confusion as to which CMS those tables belong.

However, the Internet’s more nefarious users know that WordPress will place its content into tables with this prefix by default, and this is one of the first ways that they break into an installation or cause problems with the software’s database from the outside.

The prefix itself is set in the wp-config.php file before the installation process occurs. At that time, WordPress website owners should scroll through the configuration file and look for the following line:

$table_prefix = 'wp_';

This line should be changed to virtually anything but the default prefix. Choosing something like the title of the website, or the name of the primary administrator, might be a great first step in securing the installation and keeping out malicious hackers from around the Internet.

2. Hide the WordPress Installation’s Version Number from the Public

Every WordPress template comes with a variable that displays basic WordPress information and allows for the ongoing modification of the header through plugins. That variable is <?php wp_head() ?> and it’s invariably placed between the opening and closing <HEAD> tags of the header.php file. One of the main things performed by this variable is to display the current WordPress installation’s version number to the public.

This actually is used by the Automattic development team for analytics purposes, as it allows them to see which version numbers are being used the most, and if there are a large number of non-current users.

It also allows hackers to view the WordPress installation’s version number and plan their attack accordingly. Since security vulnerabilities with WordPress are generally version-specifc, and are fixed in any subsequent versions, and outdated installation that shows off its version number is ripe for attack by those who want to gain unauthorized access to the Dashboard or database.

This information can, and should, be removed from the “wp_head” variable; it can be done by adding the following line of code to the current theme’s functions.php file:

remove_action('wp_header', 'wp_generator');

Save that file and upload it to the server, and no one will ever know whether the WordPress installation is current, outdated, or even in beta. Nothing will be advertised publicly.

3. Place a Limit on the Number of Failed Login Attempts

Typically, malicious Internet users will gain access to the WordPress Dashboard through a “brute force” attack that enters tens of thousands of passwords rapidly. This attack looks to use dictionary words, and common numbers, to figure out the user’s security credentials. Without a proper block on these repeated attempts, there really is nothing to stop them.

That’s where the Login LockDown plugin comes in. Using the plugin, WordPress users can set a limit on the number of failed login attempts can be made before being essentially locked out of the Dashboard for an hour. Those failed attempts are tied to IP addresses, making this plugin even more effective.

4. Administrators Should Not Name Themselves “Admin”

When installing WordPress from either the built-in installer the administrator user is generally named “admin” by default. Malicious Internet users know this, and that’s the first name they’ll try to guess when gaining brute force access to the WordPress Dashboard.

When installing WordPress for the first time, be sure to name the administrator user something hard to guess (perhaps a nickname or something else). A brute force password attack is only effective if the administrator’s username is known. If not, it will be doubly impossible to gain access.

5. Keep WordPress Updated at All Times and Be Prompt About It

A new version of WordPress is typically released every few weeks or so, with minor updates and security patches serving to keep users safe from the hackers that are increasingly targeting Dashboards and databases around the Internet.

Failing to keep WordPress updated is essentially like giving hackers an open invitation to come on in, delete some posts, and compromise the website’s security. It’s a really bad thing to fall behind on these updates, especially since an un-altered theme will even display the version number for inquiring minds to see.

Since version 3.0, WordPress has enabled the automatic updating of the Dashboard with just a single click. In fact, the Dashboard even automatically notifies users of updates and will urge them to upgrade in pretty bold, outstanding text. This should be done as soon as an upgrade is available; it will not result in the loss of any files, plugins, themes, or settings.

Instead, updating WordPress will serve only to enable any new features and patch security vulnerabilities that were discovered since the last version was sent out to the 60 million users of the software. Always stay current in an attempt to fend off hackers.

6. Hide the WP-Config.PHP File from Virtually All Internet Users

WordPress users should never forget the power of the .htaccess file when seeking to hide files and protect the integrity of their WordPress Dashboard and database. In fact, this file is essential to ensuring the long-term security of WordPress in a number of ways. Using a few simple lines of code, the “.htaccess” file can actually completely hide files from public Internet users, even if the proper file permissions are not set on that file.

This is the solution to public display of the “wp-config.php” file, which contains things like the API keys and database prefix needed to compromise an installation.

To secure this file from malicious Internet users, simply add the following lines of code to the “.htaccess” file located within the root folder of the WordPress installation. If no such file exists, create one:

<Files wp-config.php>
order allow,deny
deny from all

With this line of code placed into the file, save it and upload it to the server via an FTP client. The configuration file for the relevant WordPress installation will now essentially vanish from public view, and that can only mean good things for security and peace of mind.

7. And, Speaking of File Permissions, Check Them to Ensure Security

WordPress does not require very permissive rules for file access and modification in order to work properly. Indeed, all of the site’s settings and content information is written to the database rather than stored in server-side PHP files. For this reason, there is absolutely no justification for using a 777 CHMOD value on any WordPress file. This is, instead, merely a way to ensure that hackers have easy access to configuration settings or other files that might compromise the installation.

To check permissions, and potentially fix them for a more secure installation, open an FTP client and navigate to the root WordPress directory. Right click on any PHP file and look for a menu option relating to permissions. In the resulting window, look for a number that indicates the file’s availability. It should certainly not be 777. In many cases, it’s advised to use a 744 CHMOD value that restricts access and modification of the files to only the server’s root FTP user. Change this setting if necessary, and then save it. The server will update accordingly.

8. Use the .htaccess File to Hide the .htaccess File

Most people don’t consider this a possibility, but the .htaccess file can actually be used to hide itself from the public. It already largely accomplishes this by employing a file name that starts with a period, but that won’t work on Windows-based computers. Those machines must find the file inaccessible using instructions contained within “.htaccess” itself. The permissions actually look pretty similar to the method used to hide WordPress’ PHP configuration file, as seen here:

<Files .htaccess>
order allow,deny
deny from all

Again, once that line is placed into the file, it can be saved and uploaded to the server. It will now be invisible from virtually everyone who visits the site, except the root administrator user.

9. Understand and Use the Power of a Blank HTML Document

Everyone who wants to gain access to a compromised WordPress installation knows that the software places its plugins and themes in a specific directory. They’ll check these directories to look for a lack of security plugins, or a number of XHTML and CSS-based vulnerabilities, and then they’ll exploit those things to gain access. This is actually pretty easy to prevent.

In order to make sure that the file lists in these directories do not show up to any Internet user, simply create a blank HTML document and place it into the folder. The document should be something pretty basic, with head tags and a title that says something like “Restricted Access.” This title might give off that the site administrator knows a thing or two about security, and it will send malicious users to other websites.

10. Always Have a Recent Backup Available

The right way to approach security of a WordPress installation is that it’s one part preparation, and one part prevention.

The “preparation” aspect of this process comes in the form of a backup. Both the actual WordPress files and the database used to store information should be backed up on a regular basis; this can be done a number of different ways, including several WordPress plugins for the Dashboard.

If a more advanced method of backing up files is needed, users can use backup tools in the cPanel or Plesk Panel backend administration areas. Additionally, administrators could automate the process and create Cron jobs so that a recent backup is always readily available.

The important thing about WordPress security is to always be prepared for the worst-case scenario. When it comes to ensuring uptime and reliability, even when under attack by a malicious hacker, a site backup is the easiest way to get back online after the security hole has been closed.

Vigilance and Smart Use are the Keys to a Secure WordPress Installation

Generally speaking, WordPress has gotten exponentially more secure in recent years. For a brief time, it seemed as if there was a new security vulnerability every other week. This pattern was especially troubling for larger and more corporate users, and the team at Automattic quickly got to work on a complete reboot.

That reboot was largely the 3.0 release, with a far more secure architecture and automatic updating tools that took the hard work out of staying current with the latest security patches and fixes.

When it comes to staying secure, these releases should absolutely be kept current and users should employ strict permissions, restrictions, and security tricks, to remain safe from malicious internet users.

Related Topics

This page may contain affiliate links. At no extra cost to you, we may earn a commission from any purchase via the links on our site. You can read our Disclosure Policy at any time.