Secure Your WordPress Installation

by Simon. Average Reading Time: almost 3 minutes.

Security is often an overlooked aspect of blogging, but a few minutes making sure things are secure can save you hours and hours of ‘fixing’ if someone decides to mess with your site.

Here are some relatively simple steps that should help ‘toughen up’ your WordPress installation:

Don’t use the “admin” account.

Either change the username via MySQL

UPDATE wp_users SET user_login = 'username' WHERE user_login = 'admin'

*where “username” is whatever you want to call it.

Or, create a new/unique account with administrator privileges and delete the original admin account.

From WordPress 3.0 you can set the administrator username and password during the installation process, which is a good step forward.

Use secure passwords.

Use strong passwords to protect your website from dictionary attacks. WordPress will tell you when your password is strong (the admin interface for users has a password strength indicator).

Don’t restrict your strong passwords to the WordPress installation, do the same for FTP, SSH and MySQL as well.

Update the folder permissions on your WordPress files.

A good rule of thumb is to set the following permissions:

Files should be set to 644
Folders should be set to 755

If these settings are too restrictive, i.e. you can’t upload files, change the permissions to increase the privileges (e.g. 775 or even 777).

Remember, permission levels vary depending on your specific server configuration, but you can generally set them to the desired level quite easily via FTP or SSH clients.

For example, with SSH:

find [your path] -type f -exec chmod 644 {} \;
find [your path] -type d -exec chmod 755 {} \;

Move the configuration file (wp-config.php).

From WordPress 2.6 it became possible to move the configuration file up a directory and out of the WordPress root folder.

For example, if WordPress is located in the following directory:


You can move it to the following directory:


WordPress automatically checks the parent directory if the configuration file is not found in your website’s root directory.

This makes it nearly impossible for anyone to access your configuration file as it now resides outside the website’s root directory.

Move the wp-content directory.

Like the configuration file, WordPress 2.6 added the ability to move the wp-content directory to another location.

Once moved, make two additions to the configuration file to identify the new location:

define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content');

You may also need to define the new location for plugins:

define('WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins');

If hackers can’t find your wp-content folder’s location, clearly it becomes far more difficult for them to hack it.

Stay current with all updates.

The main WordPress installation files, plugins and themes can be updated easily via the admin interface. Make sure you do so each time a new version of either are released.

For plugins, the plugin change log makes it easy to see what has changed and therefore ensure compatibility with your version of WordPress.

Remove the WordPress version information from your header.

Viewing source on most WordPress websites will reveal what version of WordPress the website is running.

<meta name="generator" content="WordPress 3.0.1" /><!-- leave this for stats -->

This helps hackers find vulnerable blogs or determine ways to hack a particular version.

To remove, find the code shown below in your header.php file and delete it:

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /><!-- leave this for stats -->

The wp_head function also includes the WordPress version in your header. To remove, include the following line of code in your theme’s functions.php file:


Use secret keys.

A secret key is a hashing salt, which makes your website harder to hack by adding random elements to the password. These secret keys are found in the WordPress configuration (wp-config.php) file.

Visit the following URL to get the secret keys: https://api.wordpress.org/secret-key/1.1/salt/

Replace the following in the configuration file

define('AUTH_KEY','put your unique phrase here');
define('SECURE_AUTH_KEY','put your unique phrase here');
define('LOGGED_IN_KEY','put your unique phrase here');
define('NONCE_KEY','put your unique phrase here');
define('AUTH_SALT','put your unique phrase here');
define('SECURE_AUTH_SALT','put your unique phrase here');
define('LOGGED_IN_SALT','put your unique phrase here');
define('NONCE_SALT','put your unique phrase here');

With the generated keys (example only):

define('LOGGED_IN_KEY','@+l2X{3wvy/1K[zRm|P_r;WixJ:,>V&JL![gyJq ?b[Wf.W|U_MKutdrL*$l][-S');
define('SECURE_AUTH_SALT','oS|EP&Pm`bf8iG!C<X8#yFG%8J)x G+3M`wRBtp#]7)&hj}ZV/p> yh-BtbBRbTk');

You can add or amend the secret keys at anytime. This will invalidate all existing cookies and require users to login again.

Change the WordPress table prefix.

You can define the WordPress database table prefix in the WordPress configuration file. By default, the prefix is set to:

$table_prefix = 'wp_';

Change this to whatever you prefer.

If you already have a version of WordPress installed, you will need to manually amend the database table names in MySQL, or do a clean install and data import.

Force SSL on login and admin access.

Set the following option in the WordPress configuration file to force SSL (HTTPS) on the login and admin screens.


Use IP lockdown on the wp-admin directory.

Create an .htaccess file in your wp-admin directory with the following lines of code:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny, allow
deny from all
#IP whitelist
allow from
allow from

Where the IP address lines are whatever your chosen IP addresses are. Only users with these IP addresses will have access to the wp-admin folder and hence the admin part of the blog.


If you have any more suggestions, that don’t necessitate plugins, feel free to comment.

This article has been tagged

, , , , , ,

Other articles I recommend

Resetting a Lost ColdFusion Password

I’m a ColdFusion freelance developer and as can often happen, I end up using a spare machine sitting in the corner of a room. Being relegated to the “dunce’s corner” is bad enough, but commonly the ColdFusion password has also been forgotten. This happened to me just the other day. So, how do we go about resetting the password?

Using Google-Hosted JavaScript Libraries with WordPress

With the announcement that Google will be including page loading times as part of it’s SERPs ranking algorithm, it has become increasingly important to optimise your use of 3rd-party libraries such as jQuery.

PHP.ini Permission Problems on Windows Vista

Installing PHP is a relatively simple task one would think. Indeed it is simple, but configuring the php.ini isn’t; at least not so on Windows Vista! It is infuriating when such a relatively simple task is made inordinately complicated because of the nuances of Vista permissions. What started out as a 5 minute task took a significant number of hours searching for a suitable answer on Google, and not only by myself.