7 Essential WordPress Security Tips

WordPress being popular but security vulnerable platform, it’s important for us to keep our WordPress blog secure. Here I’m sharing some essential WordPress security tips, which will help you to keep your blog safe and secure.

When I was 21, I hacked our university’s web-portal to get the semester final questions draft by entering into teachers area. I needed the questions of ‘network security’ course, so I attempted to login as sazzad (the respective teacher) and I succeeded in a few attempts to get his password as it was his girlfriend’s name without any space. :)

WordPress Security TipsReading my story of hacking, as a webmaster, you might be strained about your website security. For any website, a security strategy is a must. And as wordpress is the most popular open source software for blogging, it is a primary target of many malicious attacks.

Luckily, by the strength of being open source software, wordpress has many protective plugins, functions and techniques to save you. When used in an aggregate, these tools can defend you from vicious activity, hacks, spam and other threats. Let us have a look to few of these techniques today.

Useful WordPress Security tips:

Always upgrade:

Always upgrade your wordpress version, theme and plugin to the latest version. The upgrade may fix any security bug from the previous version, so it is wise to be upgraded.

Hide your wordpress version number:

For some reason, if you cannot upgrade to the latest wordpress version, do not let hackers know your current version. As the bugs of previous releases are known to all through wordpress.org, it will easier for them to attack your website. You can hide your wordpress version number by following below instructions:

  • If you are using an older theme, remove the following line from your theme’s header.php filephp bloginfo('version'); ?>" />
  • If you are using a newer theme, just add the following in your theme’s functions.php file
    <?php remove_action('wp_head', 'wp_generator'); ?>

Be careful about plugins:

Be careful about installing plugins. Weak plugins may have buggy codes through which some other codes or sql queries can be injected or some other harmful activities can be done to damage your site or its ranking.

Check plugin’s ratings and popularity before installing it. And to be sure, read reviews or ask your blogger friends about the plugin you are going to use.

While upgrading plugins to latest version, make sure you upgrade wordpress plugin in correct way.

Secure administrator account:

Prior to wordpress version 3.0, the default wordpress installation used to come with an administration account ‘admin’ as username. As the hackers know it, they will always try this.

Make sure, your administrator account username is not something easily guessable like ‘admin’, ‘yoursitename’ or ‘yourname’. If you already did so or you had installed a wordpress version older than 3.0, you need to change it.

Check here how to change wordpress default username security using PhpMyAdmin.

Disable directory browsing:

Directory browsingEnabling directory browsing in your site is comparable to keeping your door always open, so that the thief can see your wealth inside house and can do a plan to steal. :) I hope you understand the importance of keeping your door closed.

Directory browsing protectionA simple trick to disable directory browsing is to upload a blank index.html or index.php file in each directory and sub directory except the root. Also make sure this WordPress hack to find the plugin used in your website does not apply to your website.

Monitor any hacking attempts using wassup:

Wassup is a wordpress plugin that records details data of each user. Using this plugin you can monitor any malicious activities like code/sql injections.

Plugin Url: http://wordpress.org/extend/plugins/wassup/

If you are able to detect any such attempts, note their ip and block them.

Read: Block visitors from specific ip address using .htaccess method

Prevention is better than cure:

Last but not the least, never forget the following to do on a regular basis

  • Keep your workstation virus free, and keep anti-virus softwares updated
  • Keep backups (database and files) always. If you can afford consider using vaultpress. Read: vaultpress premium wordpress backup services from automatic
  • Use strong passwords and change on a regular basis. Do not save passwords to ftp clients or in browser histories.
  • If possible, use premium themes

These are some basic techniques to keep your wordpress sites secure. I will come-up with more security tips in the future. Make sure you subscribed to ShoutmeLoud rss feed to get updates.

Do you have more WordPress security tips to share? Do let us know one tip, which you follow to keep your wordpress site secure?

This is a guest post by Ron. If you like to write for Shoutmeloud, do read our Guest posting guidelines.

Subscribe on Youtube

Article By


COMMENTs ( 19 )

  1. mayank says

    Harsh you have given a good tutorial but it doesn’t help me as my site got hacked turkish hackers they delete all data and everything the thing left was index file which was promoting there govt. so its better to take backup daily.

  2. Prakash Prakash says

    Hi I check your info on internet it shows you are using WP version 3.8.1.

    and I also checked labnol.org but it says no data available for WP version. It means your Version is not hide or you are using something else.
    once I changed my Version how, Can I check that ?

    Please share your view.

  3. Karan Lugani says

    Safety is the first and foremost thing. What we have done in years can be removed in just 5 minutes by the hacker. Thanks for the tips.

  4. Sakib says

    I’m freak workpress developer, I thought I’ll get something new information. Most of the information we know and the version (hidden) doesn’t matter and when hacker will take the attempts, they might already be concerned about it. Thanks Ron.

  5. Murlu says

    Thumbs up for placing such a high amount of value on prevention. As I learned through Network Security classes – it’s so much easier just to make sure your safe than to play damage control afterward.

  6. Ruhani Rabin says

    First of all, thanks for the writer to point these security tips .. besides that, I would prefer .htaccess based protection scheme rather than index.php.
    Also I think you can change wp username in one click with wp-optimize (Shameless me) LOL!

    BTW Mahbub, where you stay in Dhaka? ;)

    • Ron says

      Hi Rabin, Thanks for your comment. yes, I agree about .htaccess, please see comment no 12 regarding this.

      Thanks for mentioning about wp-optimize too and glad to know that you are the plugin author. I will check it.

      I live at Chittagong. if you ever visit, don’t forget to take me as your travel guide :)

  7. aatif says

    Thanks for your share , i was anaware of hidding version of wordpress point. i will check that .

    • Ron says

      You can check it from ‘view source’ of your wordpress blog.

      At home page source, look for a ‘meta’ with ‘generator’ as ‘name’ and ‘WordPress ‘ as ‘content’.

      Then remove it as the way i mentioned in the post.

      • aatif says

        i am using new theme , there is no function.php . and i cant remove bloginfo(‘version’); ?>” /> becuase this is not there . what should i do ?

        • Ron says

          Hi aatif, its functions.php (you missed a ‘s’). There must be a functions.php in each theme, that’s a compulsory file to build a wordpress theme.

          I just checked your site from link attached to your name here. In that site, you’re using swift theme. There is a functions.php file in your theme. Open this file from wp-admin panel (or using ftp) for edit and at the second last line (just above php end tag ?>) add the mentioned code from the article and save the file. You’re done!

          If you still need help, let me know. I will be happy to help! Good luck. :)

  8. Amjath says

    Placing blank index.html files is not a good idea. You need to place it in all sub folders or else it will list the directories. Denying directory listing using the .htacess is better.

    • Ron says

      yes, I agree that .htaccess is better if one knows how to do that using .htaccess.

      But if someone does not feel confident enough to edit the .htaccess file, he can apply the simple trick of placing an index.php/index.html file.

      By default WordPress comes with blank index.php file in 3 main directories (wp-content, wp-includes and wp-admin). You need to put it in sub-directories and you can do it easily any ftp software.

  9. Samir@University Eight says

    Wow! The security tips are really helpful. Though I am still using Blogger for most of my blogs, these would be very helpful when I switchover soon. While most of us ignore the security of WP blogs assuming there are enough precautionary measures integrated by the developers of WP, that’s not always the case. I know personally of an instance where an Egyptian hacker totally cleaned out a web host’s datacenter! Thanks for the nice list!

    • Ron says

      Good luck with your switching blogging platform Samir.

      Yes, security things should never be ignored.

  10. Haresh says

    Thanks for the tips, esp the username ‘admin’ part. Before I read the post, I didn’t know how to change the default username.