WordPress Security Hacks and Tricks

Following on from my recently article about WordPress security plugins there are a number of ways you can shore up your security by using a few choice snippets and hacks.

Please do ensure you backup before making any changes to your files, the .htaccess if broken can cause your blog to stop working completely!


Login Name

The WordPress default is “admin” which basically leaves the hacker just needing to workout your password, don’t make it easy for them!

Keep Your Install Up To Date

By keeping your WP install up to date you ensure all the last patches and fixes are installed thus any known exploits will not work on your blog. It takes 2 minutes, just get it done.

Delete Files

Sounds simple but many people leave in the readme.html files in the root folder, delete this as the readme.html file has the version number of your WordPress install within.

Delete Install File

You can delete the wp-admin/install.php file as its not needed once WordPress is installed, having it just laying around can leave your blog vulnerable to attack.

Use A Strong Password

I know some of these tips are obvious to some, but many people still use “password” as their password, think of something strong, a mixture of upper and lower case letters with a few numbers should do the trick.


Protect Your wp-config.php File

Your wp-config.php file contains your blogs database details and other pieces of info about your blog a potential hacker would like to see, so inside your .htaccess file add:

<Files wp-config.php>
order allow,deny
deny from all

Block wp- Folders From Everyone

The folders wp- folders contain various pieces of information about your blog, which you don’t want people to see and certainly don’t want bots indexing your file structure to the world, so to prevent this add this to your robots.txt file:

Disallow: /wp-

Remove The WordPress Version

I covered this once before in a previous article, but it is worth mentioning again. This is slightly different than the snippet I posted in my previous article, I have since discovered the version number appears in the RSS feed too, add this to your functions.php file:

function no_generator() { return ''; }
add_filter( 'the_generator', 'no_generator' );

Only Allow Admin Access From Your IP Address

You can also create a new .htaccess file for your wp-admin folder and allow access from your static IP address only:

# my ip address only
order deny,allow
allow from MY IP ADDRESS (replace with your IP address)
deny from all

Note: if you have a dynamic IP this can be a nuisance as you would have to manually alter this via FTP each time you need to access your wp-admin.

Disable Directory Browsing

Certain types of servers allow directory browsing by default, for security reasons you don’t want anybody to be able to nose around your directories and their structures, so to combat this add the following into your .htaccess file:

# disable directory browsing
Options All –Indexes


Securing your site is important regardless of your choice of CMS, many of these tips are obvious but important to take note of and perhaps implement within your WordPress install.

You Might Also Like