Keeping WordPress Safe from Intruders


Anyone with a WordPress website needs to take responsibility for it and keep it secure.  That means being super vigilant with passwords and ensuring that WordPress core and plugin updates are implemented as soon as they are available.  If you don’t want to take on this level of responsibility, hire someone to do it.  Lots of developers provide a managed service contract.

Hacking can be a problem and it is not pleasant to suddenly find you are selling blue movies from your site footer!

Showing unwanted results

Action you can take

  1. Keep WordPress themes and plugins up to date.  Always, without fail.  These addresses security issues and bugs.
  2. Make sure that the anti-virus on your own computer is up to date.  Key-loggers or malware on your machine can compromise your site if you are using it to access the WordPress admin.
  3. Avoid cheap hosting, security is paramount.  No matter what you do to secure your site, it will make no difference if the host is not safe.   Look for hosts with solid support, who are transparent about issues/outages and who take regular backups that you can access.  Security should be good enough to stop other sites on your server from cross infecting. 40% of WordPress hacking happens through hosting servers.
  4. Never ever use ‘admin’ as your WordPress username. If your site has been set up with ‘admin’ as the user name, here’s how to change it »
  5. Give users the privileges they need,  setting everyone as an administrator is a security risk.  Usually the author role will suffice if they need to add and edit posts, otherwise leave them as subscribers.
  6. Make sure everyone’s password is secure, a mix of letters, numbers and special characters – this is important use PassCreator» to create your passwords!
  7. Change your passwords once a month.
  8. Never install a free theme that is not from the WordPress theme repository.  Many of the top Google results for free themes have malware embedded in the code!
  9. Remove themes & plugins from your site that are not in use.
  10. Keep plugins to a minimum – thus reducing the chance of a security breach.
  11. Never ever install a free plugin that is not from the WordPress plugin repository.  Ever.  They have to pass stringent tests to get in there.
  12. If there is a choice, choose the plugin with the highest download count.  This is tried and tested.
  13. Make sure the plugin is regularly maintained, i.e. has been updated in the last 6 months.  You can see all of this on the WordPress plugin page.
  14. Remove inactive plugins from your site, always.
  15. Unfortunately WordPress does not limit the number of login attempts by default, so install the Limit Login Attempts plugin from the WordPress plugin repository.
  16.  Take regular backups install a plugin or better still get VaultPress by the WordPress people, it doesn’t cost much and the peace of mind is worth it more on backup plugins here »
  17. Delete any redundant user accounts.Disallow search engines from indexing anything that is not your main content – if you install SEO for WordPress by Yoast, it will do much of that for you.

Install a Security Plugin

If you wish to go down the plugin route for security, here are some you can use:

Hardening WordPress

Advanced developer tools

  1. Lock down the WordPress admin, prevent file editing through the dashboard using the WordPress configuration file.
    define(‘DISALLOW_FILE_EDIT’, true);
  2. Ensure file permissions are correctly set for the whole site
    755 for directories
    644 for files.
  3. Ensure your WordPress configuration file is not readable by anyone – add this to your .htaccess file
    <files wp-config.php>
    order allow,deny
    deny from all
  4. Make sure the WordPress configuration file contains the necessary encrypted security keys (salts) –  you get those here »
  5. Hide WordPress version information and much of the unnecessary header outputs.
    remove_action(‘wp_head’, ‘wp_generator’);
  6. If you are the only one accessing the site or if all users are in the same office. Nail down Admin access to your IP address.
  7. Choose a custom table prefix – the default is wp_ you can change this to something else through the WordPress configuration file.

More on editing the WordPress Configuration file »


Share on FacebookTweet about this on TwitterPin on PinterestShare on LinkedInShare on Google+Email this to someone

© Tracey Rickard. If you want to use any of my content please ask me first, you can't use it without permission that's stealing. You can use an excerpt as long as it is linked back to this article.