WordPress Security 101: 8 Tips, Tricks and Tweaks to Secure Your WordPress Website

Do you use WordPress safely? Did you know that there are loads of ways that hackers can attack both your website and your computer using malware or malicious code?

In this post, we’ll took an in-depth look at all of the issues, and hopefully by the end of it you’ll be able to keep your WordPress website, and your computer, safe.

But let’s start with a fun look at some recent WordPress Security issues – guaranteed to brighten everyone’s morning :)

BlogPress SEO

The WordPress community has been abuzz over the past few weeks about the BlogPress SEO plugin. This plugin purports to create a backlinking scheme, with a paid version that basically gets you inbound links. Both of these are bad for your SEO – Google hates them – but I guess there are people out there that go for them. ANYWAY, for some reason the plugin developer emailed Yoast and asked him to promote the plugin. Yoast had a dig around and discovered this piece of code:

Screenshot of BlogPress SEO code

This code emails your admin email address to the developer. Eh? Wtf? I know!!!!

Not only that, but another WordPress user, Mtekk, discovered that the plugin operated as a backdoor – it allows someone who knows you admin email to log in to your site without a password. Ouch!

I emailed John at Mtekk and asked him about security in the WordPress Plugin Directory:

Mtekk logoThe review process for plugins, at this time, is not very stringent—especially compared to WordPress.org theme repository. In theory a bad plugin like BlogPress SEO could be approved and in the repository. As far as I know, there is not group of people checking every line of code on each new plugin release. The main reason is the checking is prohibitively expensive time and resource wise.

One thing to be aware of is a malicious individual can get a plugin in the repository while containing no malicious code. Then on a future update, the author could add in a backdoor as seen in the BlogPress SEO plugin. There is no review process before a plugin author tags a new release in SVN. Once a release is tagged, the automated update mechanism in WordPress will distribute this bad update to the plugin users that click “update” in their dashboard.

This is a little worrying given that most of us safety-conscious people tend to stick to plugins from the WordPress Directory as we assume that since they have been given the nod by WordPress they must be free from malicious code.

wordpress logoI emailed WordPress to ask them about this and Otto got back to me. He said that any author can submit their plugin to the directory. The plugins aren’t run, just checked for spam – once they are approved the developer can get access to the repository. However, there is no approval on either the code or the code reviews so it is possible for malware to be inserted. He did make it clear that any plugin author who inserted malware or malicious code would have his/her plugins removed and be blocked from wordpress.org. It isn’t something that has been an issue in the past.

UPDATE: Otto posted this in the comments so I thought it would be worth adding it here:

It’s probably worth mentioning that if we are alerted to malware in the WordPress.org Plugin Directory, we can go in, remove the malware, and use the plugin distribution mechanism to let users update their plugins, removing the threat. Yet another reason to keep your plugins up-to-date.

In fact, Yoast did use the WordPress directory to go some way towards solving the BlogPress SEO issue.

However, what this does mean is that our 100% unshakeable inviolable faith in the WordPress Plugin Directory may be a little bit shaken, violable and a tiny bit misplaced.

Here’s a tip from John at Mtekk:

It all comes down to finding trustworthy plugin authors, and doing a little research on a plugin before installing it. These two tasks will go a long way in preventing issues.

Good advice!

Worried yet? Here’s another recent security issue with WordPress:

Security Vulnerabilities

intruder imageIn April of this year, there was a mass hack of WordPress sites hosted on Network Solutions.

Basically, lots of people using WordPress had set their file permissions on their wp-config.php file to 755 (if you don’t know anything about file permissions I’ll tell you all about it in a moment). This meant that anyone was able to read them. A user at Network Solutions created a script to find all of those unprotected wp-config.php files with all of their lovely database login information. And that was that. Hundreds of WordPress sites were redirecting to websites containing malware.

The thought of my website taking my few visitors to a website that’ll infect them with malware makes me very sad :(

In order to make myself happy again, here’s my:

8 Security Tips and Tricks to Make Your WordPress Website a Safer Place


interact imageThis is one of the most important things you can do. If you update your site then you are already miles ahead of other people who don’t. An update will close up any security loopholes – this is true for plugins, themes, and for WordPress itself. It really is important to take notice of that WordPress nag message – after all, updating only takes about 30 seconds. If you can’t be bothered with that then you really are lazy.

Get your File Permissions right

If you’re like me you think you’ve got all of your file permissions right. Then you check them and you realize they’re like this:

Screenshot of incorrect file permissions

Oh dear…..

In order to get that nice table I installed a plugin called Bulletproof Security. This is a huge plugin which should take care of many of your security needs. It gives you loads of information about your site, protects you from hacking attempts, protects your all important htaccess and wp-config files, and even lets you turn on maintenance mode! Also, it’ll tell you, like me, if your permissions are wrong :)

In order to fix my file permissions I used FileZilla, which is my FTP client of choice (only because I’ve never really used any others – recommendations plz!). If you want to learn how to use FileZilla you can check out this guide right from WordPress.

Connect to your site using your FTP client, right click on the correct file or folder and select “File Permissions” like so:

screenshot of where to change file permissions in FileZilla

This will open up a nice window like this where you can edit your file permissions:

Screenshot of file attributes in FileZilla

Tip: Always make sure that your wp-config.php file is set to 750. This is recommended by the WordPress codex and is really important for sites using shared hosting. We really want to avoid any mass hacking attacks!

Backup your database

Backing up your database is an important part of any security procedures. If your WordPress website is hacked then you want to be able to restore in easily. There are plenty of blog posts out the made by exasperated people who’ve been hacked and who haven’t backed up their databases in month.

When it comes to backing up your database, there are two options:

1. Set up a Cron job using your GUI

Setting up a Cron job can be a bit daunting if you’re not used to playing around in your cPanel or Plesk. However, setting it up this way will mean you don’t have to use a plugin and can have the confidence in knowing that you’ve set it up yourself. Here’s a post from Sarah about how to set up a Cron job.

2. Use a plugin

Of course, there are WordPress Plugins for just about everything and there are plenty that you can use to backup your database.

no email logoTip: Avoid using a Backup Plugin that only emails you your MySQL backup. Email accounts have a habit of getting hacked (I had a major email hacking incident earlier this year :( ) and if a hacker wants your email address think about everything they could get up to with your MySQL database. It’s unpleasant enough dealing with an email hack – don’t make it so that you have to deal with a website hack at the same time!

You could try a plugin like xCloner which will take care of all of that backing up for you. You can save it to a secure folder on your server, have it emailed to yourself (see above!) or have it sent to you via FTP.

Delete the admin user

The admin user is often the target of brute force attacks on site. Since the hacker already knows the username – admin – they can use a password generator to try to come up with the password for your site. If you are setting up a new WordPress site you can simply use a different name for the admin. If you have an existing installation, create a new user with administrator settings and delete the old admin username. It’s simple but it’ll improve your security!

Use a Security Plugin

security iconThere are loads of security plugins out there to help you close any loopholes in your WordPress website. Here are two that I’m a fan of:

Bulletproof Security: I showed you earlier how you can fix your file permissions with Bulletproof Security. It also protects you from injection hacking attempts and enables you to switch easily from different levels of .htaccess security.

Secure WordPress: Secure WordPress does many of those little things that you should deal with after a WordPress installation. Among other things it removes theme and plugin updater information for non-admins, removes the wp-version except in admin areas, and removes Really Simple Discovery.

Use AntiVirus and AntiMalware

No doubt you use both anti-virus and anti-malware on your computer. But do you use them on your WordPress website? Both of these plugins will help to keep your WordPress website secure:

AntiVirus: This provides a quick and simple check to ensure that your blog is protected against spam injections and exploits. Just activate and check to make sure that your WordPress website is secure.

Screenshot of Antivirus WordPress plugin

Wp-Malwatch: This is another plugin which scans your website for malicious activity. It does this every day and posts to your dashboard to let you know if there are any problems.

screenshot of WP-Malwatch WordPress Plugin

Download Plugins & Themes from the Directory or another reputable site

I talked earlier about the BlogPress SEO plugin which not only emails the admin email address to the developer but also opens up a backdoor in your WordPress website. As we saw, it is possible for a developer to sneak in a piece of malware or suspicious code into the WordPress Directory, but Otto reported to me that he had never experienced it happening. In any case, BlogPress SEO was not in the WordPress Directory and it goes to show that it is still safer to get your plugins from there. Or, of course, you could get them from another reputable site (which tend to be premium sites) such as WPMU Dev, WP Plugins, Woo Themes, BuddyDress or Graph Paper Press.

Here are a few tips to help you out when looking for plugins or themes:

  1. Make sure that the download location is the same as the website that you are on. You can do this by hovering over the link – although be aware that a malicious website may use a cloaking script to hide the actual location of the theme so you may need to click on the link to see it. If it’s hosted location is different to the website location then avoid downloading it. If you want the theme you can use Google to find the original domain for the theme or plugin.
  2. Google it. A little bit of research can go a long way. If a plugin has been around for a little while you may find that someone else has already picked up on it as spam. Like so:
  3. Premium Themes and Plugins are a good way to avoid spammy plugins and themes. You will also find that premium versions will have a team of paid developers who will be constantly updating the plugins and themes for security loopholes so you can be more confident about remaining secure with them. On a recent plugin cull on a WordPress site I found a plugin that hadn’t been updated since 2008. Not good!
  4. Scan your themes. You can use a plugin called WordPress Theme Authenticity Checker which will scan any uploaded themes for problems. This is essential if you are uploading themes from everywhere and anywhere. The plugin will scan your theme for any malicious code.

Here’s a clean template:

Screenshot of clean wordpress themeAnd here’s one with code:

Screenshot of infected template

Actually, TemplateLite were pretty upfront about including external links (although base64_decode can be used to hide all manner of things).

screenshot of templatelite terms

Other template websites won’t be so upfront.

Tip: Only use plugins and themes that have been recently updated. There are loads of plugins in the directory that say that they are compatible up to WordPress 2.5 or 2.1 or 2.8 or whatever. They may still work with your WordPress installation but that doesn’t mean that they are secure. Choose plugins and themes that are updated regularly.

And last, but by no means least:


You would be surprised at how many people have totally lame passwords. They might use 123456 or abcdefg. Pretty dumb, right? I mean, if a password is as easy as that to remember then a hacker is going to be able to easily guess it and get access to your site. You could use a site like goodpassword.com to help you to generate your password, or you could come up with it yourself. This should be at least 8 characters, a mixture of numbers and letters, with at least one uppercase and one lowercase letter. You should use different secure passwords for your database, your website, your ftp – for everything you use.

document iconTip: Struggle to remember complicated passwords? I know I do. Rather than keeping them in a file or spreadsheet on your computer use the old fashioned method. Get out a pen and a piece of paper, write them down and keep them somewhere safe in your office. Remember, a hacker may be able to get into your computer but they can’t hack into your physical location (yet!!!!)

Had enough of security? Here are some extra resources to get you all filled up on WordPress security practices.

Here’s a pretty good presentation from thewebtrainer.com about how to secure your WordPress blog. Unfortunately the last few minutes seem to be missing but you can figure out what’s going on from the slides :)

And here’s some further reading for all you eager beavers:

Got a favorite WordPress Security Tip, Tweak, Plugin or Hack? Let us know in the comments below!

Tags ,

Comments (39)

  1. I’m VERY impressed with the effort and info you’ve put into this post. I build WordPress sites every day for myself and my clients and thought I was on top of this ‘security’ stuff – well as much as you can be!

    I paid some $$$ for my main site to be ultra protected [WPDefender stuff aka John Hoff ] – even had my Ukranian programmers check it out too – but I seem, in spite of all that, to have issues today on my main site.

    I have people working on it big time right now but it’s so frustrating in that when I knew nothing about hacking I rarely got hacked and now that I do, and am as one with all anti hack stuff, I still have issues!

  2. This was a really helpful post — and perfectly timed. I always wonder which file permissions are the right ones and installing BPS plugin, recommended above, answered most of those questions. Thanks so much!

  3. It’s probably worth mentioning that if we are alerted to malware in the WordPress.org Plugin Directory, we can go in, remove the malware, and use the plugin distribution mechanism to let users update their plugins, removing the threat. Yet another reason to keep your plugins up-to-date.

  4. Thanks Siobhan,

    This is a very complete article on WordPress security. I think the topic is of increasing importance as greater numbers of websites are being powered with the platform and the ease with which malware can find it’s way in.

    Thanks for an excellent article. I was looking for just this kind of overview to implement security measure on the dozen or so site I manage. Looks like I’ve got a helluva lotta work ahead of me to implement on all of them.



  5. Awesome article, thanks!

    But here’s my questions: how do you know when these types of plugins need to be network activated or just activated on the main blog when using multisite. I’ve seen it said both ways. Some people say security plugins can be turned on just once for the primary site, and others say it needs to be network activated. Any clarification on this?

    Also, the security plugin you recommended mentions turning off windows live writer support…is that a necessary thing? I didn’t realize that was a security risk, aside from the standard risk of opening anything up to an outside source.

  6. Thanks for all your comments everyone!

    Otto, I’ve updated the post with your extra info – thx for adding it :)

    Ryan – to answer your questions:

    1) Security plugins are like every other plugin – some of them can be network activated and some of them can’t. You’ll need to refer to the specific plugin to find out. If it doesn’t have the info then you should contact the plugin developer.

    2) Windows Live Writer – this isn’t inherently a security risk but lots of people recommend that if you aren’t using it you should turn it off as it does add another way to access your website.

    Hope that helps!

  7. Great article.

    But don’t delete the admin username, just change the permissions for it to subscriber and set some random big password since you won’t ever need it, and create a new account with admin permissions. That way WordPress won’t return “Invalid Username” and the hacker will think “admin” is admin :) So even if the hacker manages to get into the “admin” account he can’t do nothing, it’s just a subscriber account :)

  8. I agree with boba up there. Deleting the admin account isn’t something that I would suggest. I would set it to subscriber instead and let the hackers go nuts. Also there are hard coded plugins out there that assume the admin account is actually an admin account. If a hacker was to come along and recreate the admin account, they could wreck your site or pretend that they are actually the admin user.

  9. I’m pleased to have come across your post on securing the WP site. Having been a recent victim where someone hacked in and cleaned up my sql db.

    Until now security wasn’t really a concern, until I was hit hard. Thanks once again for the plugins you mentioned, apart from the WP plugins I now also use the McAfee antivirus scan and get a daily report of the logs from my website.

    Call it paranoia but better be safe than sorry than be bitten twice.

  10. Just another complete WP newb saying thanks for posting this. lol … add another thank you to the pile you’re collecting. Great … along with learning WP to begin with of course no tech subject is complete, w/o figuring out how cyber scumballs are using it to terrorize people.

    It’s karma, karma I tell you !!! All these mile long acronyms and techno jargon are payback for all the terrible things I’ve done ! Sighs, may as well add mass WP hacker attacks and backdoor plugins to the list of things that give me a headache.

    Anyway, … venting concluded, thanks again.

  11. Good article, Siobhan.

    I wanted to point out an error in what you said about the permissions for the wp-config.php file. They should be 400 or 440, not 750 as stated above. See this WP Codex article section: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php

    However, in this Code article, http://codex.wordpress.org/Changing_File_Permissions, it mentions setting the wp-config.php file permissions to 600 for shared server environments. I believe that 400 or 440 will work equally well on dedicated, VPS, or shared serving environments, but I’m not positive.

    I run a dedicated server and have all my WP sites’ wp-config.php files set to 400. My sites work fine. After all, you only need your server to read this file. There may be a few plugins that need to modify this file and therefore would need write permission. If you use plugins like that (I never do), then you would need to set the permission to 440.

  12. Excellent article!

    However, your article tells to use 750 on wp-config but BPS says to use 404.
    404 is practically impossible since the owner must have access to writing.

    How do I know what are the most secure permissions for all the files? I don’t think BPS is accurate.

  13. Hello,

    Great post… One of the important things about your WordPress backup is that you store your backups outside your hosting account and that you workout a great backup strategy…

    I’ve described a good mix of daily, weekly and monthly backups with auto-deletion of old backup archives here: http://www.wpsecuritychecklist.com/wordpress-backup-the-plugin-and-the-plan/

    On this site you can also download a free, comprehensive WordPress Security Checklist, which will help just about everyone improve their security…

    Just my two cents… keep up the great work!