What or where can I find good WP Security instructions?

I have found many old posts about WP security but I would like to find the most up to date tips and instructions for hardening my Wordpress sites and WPMultisite installs.

Can someone please point me in the right direction? Thank you very much.

  • Tom Eagles
    • Syntax Hero


    1)Dont use admin as the admin username.
    2)Dont use easy passwords make them as strong as possible.
    3)Install Wordfence and or AVH First Defence. These are very powerful security plugins.
    4)Make server backups regularly.
    5)Always keep all plugins and themes up to date.
    6)Use capture on forms etc to minimise the impact of spam.

    I am sure others will join in here but that list will get you well on the way to having a secure site.


  • LeonardsDesk
    • Flash Drive

    @Tom Eagles

    Thank you so much Tom. Sorry for the delay in response. We have been dealing with some pretty serious Tornadoes here in Oklahoma.

    I am trying to setup a Pro Sites platform for family and friends to contact each other in emergency situations and also be able to use their sites in any other way they choose to.

    The biggest question I get is about security. I am hoping to find some great easy to understand instructions on how to protect wp-config.php and .htaccess and admin folder, etc...

    I will take a look at the plugins that you mentioned. But if you or anyone also have reliable information about some solid behind the scenes tactics for hardening security without breaking the flow of themes and plugins, please let me know.


  • LeonardsDesk
    • Flash Drive

    @Tom Eagles

    Thanks and I will report back when I have gotten things setup. I plan to setup the plugins as soon as my Pro Sites install is in place. I am hoping to provide the best security for my Multisite and not just an individual WP site.


  • lol
    • The Incredible Code Injector


    @Tom Eagle: You stressed on all the important points!

    I would add:

    - If possible don't use share hosting
    - If you are lucky and run your own hosting on linux, use fail2ban (and the Wp plugin) to avoid logs flooding


  • Decura
    • The Bug Hunter


    I agree with Laurent that shared hosting is not safe. About two months ago I randomly got access to another installation when trying to access my own. I'm looking into a new hosting provider for other reasons as well and expect to start switching in december.

    I have good experience using WordFence that Tom Eagles mentioned. It provides a way to limit the number of login attempts, which is important to note. This is an effective way of stopping the brute force attacks. An alternative solution is to use this plugin: http://wordpress.org/plugins/limit-login-attempts/

    I'll not recommend the Bulletproof Security plugin as it can create conflicts or the Better WP Security plugin as the possible modifications can cause trouble and the log is quite extensive. The latter recently gave me issues when restoring a backup.

    A way to do some standard modifications to the htaccess file and performs some edits is to use the WP htaccess control plugin: http://wordpress.org/plugins/wp-htaccess-control/

    A way to find unwanted users is the WangGuard plugin:

    I hope this helps.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.