A-Z Guide To Secure WordPress Blog – Beginners To Pro

In recent time, WordPress has been highly targeted by bloggers. Since WordPress uses MySQL and Php, it’s not tough to find a vulnerability in WordPress. Here I’m sharing some newbie tips to Secure WordPress blog. These are basic tips but some time missing these basic tips, may lead to losing your WordPress blog by some hacker.

Secure WordPress blog

WordPress is probably the best CMS out there for blogging. I can quite confidently say that, being a user of this awesome CMS for the past 6 years. I simply love the fact that i could choose from tens and thousands of plugins from the WordPress plugin database. The plugin database has never failed me, if you need to add a new feature to my blog, someone has already made a neat plugin for that and shared it for everyone to use. There are end-less options when it comes to themes, as well, right from the Thesis Framework to the Twenty-Ten default theme. And there are hackers, pesky guys living in Turkey or some part of the world you haven’t even heard of to ruin your happiness and to test your patience.

My site has been hacked nearly 6 times in the past by some Arabian and some Turkish hackers (at-least that’s what they claim from). They leave your site with an ugly black background with GIF images of skulls and Ravens. Most of these hack attacks are done by what is called as an SQL injection. Nowadays it has become a necessity to do all the preliminary safe guarding measures to keep these hackers at bay.

Useful tips to Secure WordPress Blog:

1.  Update WordPress

Keeping your WordPress up to date is the first and basic security tip for any WordPress blogger. This is something that you never want to miss, whenever WordPress is sending an update, it means that they have fixed some bugs, added some features and most importantly added some security features and fixes. You never want to miss out on this.

WordPress latest version

When you see the message  WordPress x.x.x is available! Please Update.

Specially, with one click update, it’s easier to upgrade your blog. Make sure, your theme and plugins are compatible with latest version of WordPress. If an update has been rolled out and it’s  not a security update, I suggest you to wait for 5-6 days, before other users stop reporting any bug in latest version of WordPress.

2. Update WordPress Plugins

Keep WordPress Plugin Updated

As, I mentioned above WordPress releases an update to fix bugs and security holes, and same goes with plugins. Many time, a vulnerable plugin or script used, can cause mass WordPress hacking. One such issue which we have seen in past is Timthumb vulnerability. Though, it was because of script but many plugins were using this script and they become vulnerable too. It’s important to keep your plugin update to keep it invincible. Always, use the plugin which are constantly updated and get good support. Being dependent on such plugins, which are not updated from long is a bad idea. Also, always use official WordPress repo to download free plugins.

3. Hide WordPress Version

Let’s assume you don’t have that 2 minutes to update your WordPress core files. The WP version can spark an idea for the hacker to break in, if you are running an older version of WP and everyone can know what the version is, trust me, you are doomed.

Most of the theme designers these days get rid of it for you, but just to make sure, go to your functions.php and add this line.

<?php remove_action(‘wp_head’, ‘wp_generator’); ?>

4.  Use Complex Login Password

I thought of not even mentioning about this, but then i know a lot of people who use ingenious and insanely complex passwords like ‘password’, ‘ilovejesus’, ‘123123’. Please make your passwords complex, add a couple of special characters (%&*#) and keep changing it for every 5 or 6 months. I would also like to recommend this plugin called Login Lockdown. You can download it from the WordPress plugins directory, the plugin will record all the IPs and time stamp failed login attempts. After a specific number of failed attempts from a particular IP, the IP will be blacklisted. This helps a lot to prevent any Brute-Force attack.


5. Check WordPress folders File Permissions

WordPress file Permissions

Go to file manager in your Cpanel or login to your FTP software and check the file attribute of your WordPress folder. Its better if its 744 (read only), if you find it to be 777, consider yourself extremely lucky that you haven’t got hacked yet. Most of Bloggers, when they change hosting, they don’t realize how their file permissions are changed. Make sure, you verify all file permissions after migrating your hosting. You can also use plugin like File permissions and size check, to check all your WordPress folders, file permission from dashboard.

6. Delete Default Admin User

This is one of the most crucial tip for people who looking to create secure WordPress blog. Default “admin” username is prone to Brute force attack and it’s a wise idea to change default admin username of your Wp blog. Or when you install WordPress, make sure you use some custom username and not “admin”.

You can Create a new user with Administrator rights, and give this new administrator a nickname that would be publicly displayed, in-case he/she writes a post. Now logout and then login to the newly created admin and delete the old admin user. Make sure you attributes all username and links to new user which you have created. Here is alternative but quick way to change username:

7.  Hide The Plugins Directory

The plugins folder  /wp-content/plugins/ should not be showing the list of folders and files inside them. Just try visiting your plugins folder @ yourblog.com/wp-content/plugins/, if you see a list of folders and files, you need to hide them.

To hide these folder, you need to create a new .htaccess file and drop it in your plugins directory.

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# Prevents directory listing
IndexIgnore *
# END WordPress

If you already have a well written .htaccess file in your root directory, adding a separate .htaccess to an individual folder is not going to cause any harm. Also  take a look at this post for better understanding of how to edit .htaccess.

8. Change WordPress Table Prefix

By default the WordPress table prefix is ‘wp_’ and if this is left as such, it paves ways to a lot of hack attacks. This is probably the most important step in this tutorial, this is also one of the most complex steps to do if you are a newbie or doesn’t know much about working on PHPMyAdmin. But i will walk you through, no worries. Just make sure you follow the steps carefully.

  • Deactivate all your WordPress Plugins.
  • Login to your cPanel
  • Make a complete backup of your blog database.
  • Once you have took the back up of your database and downloaded the .sql file, open it with a text editor, my personal favorite is Notepad++.
  • Find all the instances ‘wp_’ and replace it with a complex table prefix, eg: ‘rer349jt_ ‘(don’t use this, this is just an example), and save the file.
  • Go back to  PHPMyAdmin and Drop all the tables in the database, make sure you do not deleted the Database itself. You need to drop only the tables within the database.
  • Now your database will be empty, use the Import option to import the new .sql file in which you replaced all the ‘wp_’ with your preferred prefix.
  • After the import is complete, you need to edit one last file, called Wp-Config.php, if you dont do this step your blog will not work. Open the file and look for the line,

$table_prefix = ‘wp_’;

replace the ‘wp_’ with your new table prefix and don’t forget to save the file.

  • If you have done all the above steps correctly, your database prefixes would have changed and you will be able to login to your blog.

Note: If in case all the widgets appear to be broken, simple add a new dummy widget to your sidebar and reload the page and then remove it after the page loads properly.

9. Turn Off database errors

In older versions of WordPress if there are any errors in the MySQL database, it would show the exact error on the browser itself, this gives the hacker valuable information about your database. To prevent this, you need to update your WordPress to the latest version, so that it will only show a general error message like “Database Connection error“, and not showing exactly whats wrong. Log in to your wp dashboard and update your WordPress core files.

That’s not all, there are many other tips which you should be following to create secure WordPress blog. One tip which I highly suggest, stop using encrypted footer WordPress theme. If you are serious about your Blogging, download theme from official repo, recognized theme author or better use Premium WordPress themes.

Also, it’s a wise idea to take  Automatic backup of WordPress Blog at regular interval to make sure, you can always roll back your blog to healthy condition. Here are some useful WordPress backup plugins, which you can consider installing on your blog. Do let us know what other security tip you would like to give to other bloggers to keep their WordPress blog secure.

Subscribe on Youtube

Article By
This was a guest post by Gowtham who is the editor of TechTint.com, a technology blog that concentrates on topics like, blogging, Android, how-to tips and other technology related topics.


COMMENTs ( 13 )

  1. Bhaveek says

    hi, I have changed the table prefix of database and done as you said in tutorial. Unable to access my blog no login… nothing is working now… need your help. :?

    • Gowtham says

      Hi Bhaveek, just now i took a look at your site, were you able to change the prefix successfully. Chances are that, you didn’t add the new prefix to the wp-config.php.

  2. Amit Shaw says

    Nice tips for securing our wordpress. But i already wrote 40 article with same account without deleting the admin if i’ll delete it now than is there any problem?

    • Gowtham says

      If you try to delete your default admin user, you will get an option something like following.

      “What should be done with posts and links owned by this user?

      * Delete all posts and links. Or
      * Attribute all posts and links to another author.”

      Then you can attribute these posts to a different author and proceed with deleting the old one. But make sure you 1st create the new admin user and then try to delete the old one.

  3. Wpfix says

    Nice collection of list of securing wordpress blogs. Even wordpress security scan plugin does a good job. It checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:

    File permissions
    Database security
    Version hiding
    WordPress admin protection/security
    Removes WP Generator META tag from core code.

    • Gowtham says

      I have tried a couple of WP security plugins in the past, but had some bad experience with them, so i stopped recommending them to people.

    • Gowtham says

      Thanks, You can hide the directories and files inside a particular folder by using .htaccess. Please take a look at step #7

  4. Arjun says

    The methods mentioned in this post are really nice but I don’t think any one of these will work out when a professional cracker wants to take your WP down. For example, Symlink can be used to surpass the above security steps…

    • Gowtham says

      Indeed a really good hacker would find someway to hack the site, but taking the time and doing all the necessary things to secure your blog does help.

  5. suraj says

    Great article ! Some days Ago my blog was hacked and recover it easily. If we follow these tips, Sure we can secure a wordpress Blog. Most important thing is Blog backup, We should keep it.

  6. maxwell ivey says

    Hello; that was a great article on keeping your wordpress blog safe. However, for me there is one point. When you are running a screen reader, which I do as a totally blind computer user; you have to be careful about updates to any software you use. Updating to the most recent version can often result in not being able to use it at all or having to put up with headaches and pulling hair out until your screen reader is updated to catch up with some of the latest software updates. otherwise, a very good article that was easy to follow even when discussing difficult technical issues. thanks, max

    • Gowtham says

      Thanks, to be honest with you i dont even thing about screen readers whenever i update any of the CMS. But now i feel like i got a slap across my face :) .

      Here after i am going to make it a practice to check my site with popular screen readers before any updates. So what reader do you use?