Rock Solid WordPress: 7 Quick Strategies to Beef Up Your Security

If you’re responsible for a WordPress site then you need to know how to keep it secure. You cannot afford to leave your product and investment unprotected. Most of these strategies will take you under two minutes to implement but can save you many hours of agonizing over how to clean up a mess created by the ravenous robots that roam the internet. You’ve heard the nightmarish stories of friends who have been hacked but you will never be among them if you take the time to implement a WordPress security strategy. Here’s a few quick strategies that will help you to make your WordPress installation less vulnerable.

Add a New User With Admin Permissions and Delete the Admin User

You may have heard this before but may not have taken the time to do it. This is the easiest and perhaps one of the most important adjustments you can make to boost your security. Don’t ever use “admin” for a username. All the robots who target WordPress know that it automatically generates the admin user and that most people are unlikely to change it. Create a new user first and make it an administrator. Select a username that is not easy to guess. Then use it to delete the admin user.

Allow Only Your IP Address to Access the wp-admin Directory

If you are the only person you want to have access to your blog and you don’t have any editors or contributors, considering denying access to every IP address except your own.  The wp-admin directory is vulnerable to attack, but this quick .htaccess trick will help you to protect it from security risks. Add the following code snippet to your .htaccess file. Replace the xx.xx.xx.xx with your static IP address. You can list multiple IP addresses by entering them on another line if you wish to allow access from other places.  
{code type=html}

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Example Access Control”
AuthType Basic

order deny,allow
deny from all
allow from xx.xx.xx.xx

Credit: Web Designer Ledger

Use SSH Instead of FTP

If you really want to cover your tracks and keep sniffers off your trail, use SSH to access your WordPress files instead of FTP. PuTTY is a free SSH client that you can use to transfer files between your machine and your server. SSH uses cryptographic technology to secure your session and will help keep you safe from traffic sniffers.

Get Regular Security Scans

This is essentially like a dental checkup for your WordPress blog to ensure that you don’t have any cavities. There are plugins that will take care of this for you. One is WP Security Scan. This plugin will scan your blog and notify you of any vulnerabilities and suggest things for you to do to make your blog more secure. It checks passwords, file permissions, database security, version hiding, WP admin protection/security, and removes WP generator meta tag from the core code of your blog.

Keep Your WordPress Version Updated

Chances are that your blog has not attracted the attention of a malicious hacker intent on destroying you. However, there are wicked armies of robots out there using any number of automated methods to try to exploit security holes in your installation. I know that upgrading can cause some tangles with plugins and is from time to time a huge pain, but it is necessary for your blog’s security, even if you’re not desiring new and updated features. Robots are very familiar with WordPress and know how to hack it, but if you keep your blog on the cutting edge you will generally be one step ahead of them.

Password Protect Your Most Important Directories

Enlist the help of AskApache Password Protection For WordPress. It adds multiple layers of security to your blog. The plugin is simple tot use. Simply choose a username and password and you are done. The plugin writes the .htaccess file without messing it up, encrypts your password and creates the .htpasswd file as well as setting the correct security-enhanced file permissions on both. Beyond keeping you safe from malicious attacks, it may even assist you in decreasing spam received on your blog.

Change Your WordPress Database Tables Prefix

This will help to protect you from SQL injections that can make your blog into a link farm. If this has ever happened to you, then you know it’s basically like getting heartworms. If you want to add an extra boost of protection when you install WordPress, make your table prefixes unique by editing wp-config.php file:

{code type=html}
$table_prefix = ‘wp_’;

Change the ‘wp’ to something that is meaningful to you and this will automatically make your database more difficult to inject than 99% of all WordPress blogs.

13 Responses

  • When you were had the original admin user, did you add your new admin username to the list of Site Admins in the options menu? If you using WPMU you need to first go to Site Admin >> Options and then further down the page add the new admin username where you see: “These users may login to the main blog and administer the site. Space separated list of usernames.”

  • Site Builder, Child of Zeus

    Thanks Sarah! I completely forgot about that parameter. Turns out forgetting actually saved me as well, as I was still able to login as “admin” after supposedly deleting “admin” because of that parameter in Site Admin >> Options >> “These users may login to the main blog and administer the site. Space separated list of usernames.”


  • New Recruit

    Yes. You need to change the Options in the Site Admin. Click on Options and scroll down to Administration Settings. The field is called Site Admin and the admin needs to be changed to the username of the new site admin. Otherwise you won’t have access to all Site Admin controls. Now you can login with the new account and delete the old site admin. I didn’t and had to go into the database and change it manually in the sitemeta table.

    I’m glad I’ve done this now.

  • About the prefix change in the DB.

    1. Can I do this after installing WPMU?

    2. Would there be plugins that could be affected by this? I can’t think of any functions in plugins that could, but I’m just putting it out there.

    3. Would I have to change it back after each upgrade?

  • But can I change it in wp-config right now? Or do I have to backup my db, and erase the tables first?

  • The Incredible Code Injector

    I have tried this two times so far. Each time I add a new user with admin privilege and then change admin to my new admin name, then save settings. The form immediately removes my admin privilege, so I log out. Then I attempt to login using my new admin name. …. It won’t accept my old password.

    The article does not mention what happens to the old password. Also, it cannot email my new password because it does not recognize something.

    So it is a catch 22. My only way out is to delete BP and then reinstall it all over again.

    Is there some part of the instructions that is going unsaid?

  • New Recruit

    Hi Ed,

    It’s a bit confusing. While admin, I created a new member and gave full administration privileges to it. Don’t delete admin just yet.

    While still logged in as “admin” user go to Site Admin > Options. Scroll down near the bottom is Administration Settings. The field for this is Site Admins and you can remove the admin and replace it with your new administrator’s user name. If it was me, it would be michaelmarian instead of admin. Then you can try out the new account and if all is well delete the admin account.

  • Flash Drive


    Very nice article covering some of the basics that all WP owners should follow. The new WP 3.0 lets you select how you want to name the admin user, I just hope that people will not chose admin or, worse, god. Hopefully we will also see the table prefix as part of the installation procedure.

    I believe however that you forget one additional step that can further increase the security of any blog.

    The most usual hack of a WordPress blog involves the file wp-config.php which is always located in the root of the installation. Someone being able to read that file will have full access to your blog, no matter how hard you try to protect it.

    Almost all hosting scenarios, from a dedicated server to a sharing package, include a folder that is outside of the confins of the webserver (i.e. none can reach that folder from the web). The idea then would be to move the file wp-config.php to that folder and create a wp-config.php to replace it.

    Say that you are in a typical shared package where your webserver full path is /vhost/johndoe/httpdocs/. Chances are that you have folders in /vhost/johndoe/ where you can put files, such as /vhost/johndoe/private/

    So move your wp-config.php to /vhost/johndoe/private/wp-config.php and replace the original wp-config.php by the following code:

    Nobody will be able to get access to your dB connection string from the web space.

    For extra security, add the directive

    order allow,deny
    deny from all

    to your .htaccess file

Comments are closed.