10 WordPress Security Tips, Guidelines, Plugins, Settings


With the word spreading around fast, it no longer is a secret that WordPress today hosts more than 8.5% of independent website globally. The reason that there is a steep growth in the number of WordPress users is its policy of being an open source web development tool. That indicates that the source code for the webpage that are being built up by the software are available for free for developers to carry out tweaks and fixes to make the most out of the web.

But this also makes the platform an open source option for code breakers and hackers with intentions of hampering the websites and in most cases laundering money out of the websites. If you are relying on the WordPress platform then here the most important security tips for you to keep in mind.

WordPress Security Tips

1. Don’t Use “Admin” as Username

It is obviously more of a challenge to crack up both the username and the password of any portal; rather than having the username readily available. This is in regard to WordPress admin usernames that are set as admin. The best way to add security is to alter the username to anything other than conventional admin.

You can change the username of “admin” by executing the following script on your WordPress database from your phpMyAdmin:

UPDATE wp_users SET user_login = 'new_admin' WHERE user_login = 'admin';

– where “new_admin” will be your new username.

2. Restrict Admin Access by IP Address

Normally any user can visit your wp-login page and can do some trial and errors on your WordPress login. You can restrict only users with particular IP address to access those wp-admin and wp-login pages. You will just need to create an .htaccess file within your wp-admin directory, and put the following code in that file –

order deny,allow
deny from all
# allow first IP address
allow from XX.XX.XXX.XXX
# allow second IP address
allow from XX.XX.XXX.XXX

– where is the IP address you want to give access to your wp-login.

3. Move wp-config.php

The file basically has all the database connection related info as well as other data that are related to our account. The best way to protect it is to move it out of the way for SSH or FTP intrusions. Found in the WordPress root folder, you can move wp-config.php file just in the directory which is one level up to the WP root directory, which doesn’t come under most FTP protocols. WordPress now automatically looks for the upper directory if it can’t find the file in the root directory.

4. Change Database Table Prefixes

You can change the names of the WordPress table prefixes by altering them in the wp-config.php file during the time of installation. This enables you to be secure about the table names that are related to the website.

5. Alter Secret Keys

The secret keys are the ones that allow the password protection to be strong and to act according to the system settings. But the default ones can be laundered by an experienced WordPress developer; to change the from default ones, you can open wp-config.php and replace the existing ones with the newer ones here.

6. Always Update to Latest WordPress

Another commonly utilized way to increase protection is to update and upgrade to the latest available WordPress software version as the newer releases are set to counter some of the most potent security threats that are seen in the market at that time.

7. Never Show Your WordPress Version

Always remember that spammers and hackers are very well aware of all the security leaks for every WordPress versions. Recently you might have heard of the timthumb.php hack which affected hundreds of blogs which were using the 1.33 version of it. Immediate solutions were provided and version 2.0 of timthumb.php was released. So never give hackers the opportunity to know what vulnerabilities are residing in your WordPress codes.

8. WordePress Security Plugins to Protect

Htaccess Password Protect – the plugin offers security features to safeguard the wp-admin directory along with the additional like the wp-content, etc. which don’t come in the bundled security package.

WordPress Login Lockdown – This plugin monitors all the failed intrusions into the account from an IP address. Once multiple failed intrusion attempts have been noted for a system, all the oncoming requests are than blocked. This, although is a separate plugin, but can be easily merged with your theme’s code.

Wassup – Monitors activities of each user on all the forms of your blog. It records any suspicious sql injection attempts of code inject trials done by any user.

Secure WordPress – Removes additional error information due to invalid login attempts, hides WordPress version and update notifications in admin panels for non-admins, removes versions from URLs, checks and remove any bad or invalid database queries.

9. Use Strong Passwords

Modern brute force attacks end up breaking through weak passwords with mere complications. And the best way to get rid of this shortcoming is to use a password which is strong in language of the computers; using password generators is one option, as the likes here.

10. Regular Backup

The most prescribed security-related tip is to keep in the habit of having regular back-ups up and running for the websites. This ensures that the site can be brought up to its previous forms if being hard hit by the hackers.

The basic ways to protect a WordPress account and website is to make the intrusions harder by using better and recommended security plugins and to make the critical files out of reach for transfer protocols to avoid having to meet up to dire consequences. So from now make your WordPress blogs or website more secure and away from the reach of hackers.

You might also want to check out WebsiteDefender and Quttera Web Malware Scanner.

1 Comment

1 Comment

  1. Ankur

    November 6, 2011 at 10:13 AM

    The IP address is for static IP only ?
    Can we use if with dymanic IP with some range method ?

Leave a Reply

Your email address will not be published. Required fields are marked *

To Top