Basic WordPress Security

WordPress has no doubt exploded in popularity over the last few years. I use it on almost a daily basis not only to power this site, but at least a few dozen other sites for my job, and for personal projects. But it’s not infallible – because of its widespread use, it’s a popular target of hackers, which prey on a basic set of vulnerabilities that a novice user doesn’t always think about. Here’s a few tips to harden your WordPress installation and give yourself a little peace of mind.


Probably one of the easiest ports of entry for a would-be intruder. Luckily, it’s also one of the easiest exploits to guard against. If you are running a site with multiple users, it may be good to install a plugin that enforces strong passwords.

Here’s some general tips for picking a strong password.

  • Don’t use simple dictionary words (password, 1234, colors, iloveyou, baseball, all made this list of the top passwords of 2012)
  • Don’t use the same password you’ve used elsewhere. Once your password is cracked on say, yahoo, hackers will often try it on other sites using the same username and password until they get in.
  • Use a mixture of Upper and Lower case Letters, with numbers and symbols – the more the better.

It’s not just your wordpress accounts that are vulnerable. Create super-strong passwords for your server user accounts, and your database connection as well.

File Permissions

Depending on where your site is hosted, you may, or may not have to worry about this as much. If you have full root control over your server, make sure your permissions are in order.

Here are the basic linux commands for a quick, basic security blanket over your file permissions. Read the full article on Hardening WordPress here.

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} ;

For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} ;


There’s a good chance your hosting enviornment is running Apache or Apache2, in which case you’ve probably already changed your permalink settings, which modifies a little file called .htaccess that lives in the root of your web directory.

Take the time to open this file, using nano .htaccess (or sudo nano .htaccess)

There should already be a little bit of code there that looks like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

This is the basic permalink writing code. Make sure you add stuff either before or after this block.

Here’s the stuff you want to add. The first block prevents anyone from writing to the wp-config.php file – a common intrusion point. The second block keeps scripts from using rewrite in directories they have no business using.

<files wp-config.php>
order allow,deny
deny from all

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

Save your .htaccess file and move on.

Security Through Obscurity

It’s a pretty novel concept, but few people seem to take into account how effective it really is. Don’t use “Admin” or “Administrator” as your main administrative account. It can be anything you want. Hackers know most people are going to simple use the recommended “Admin” as the Administrator Username, giving them an edge when it comes to brute-force attacks of your site logon.

When you are first setting up your site, choose a different table prefix for your site to prevent scripts that target the standard “wp_” prefix – make it “4f9A_” and give them something difficult to figure out.

Core and Plugin Updates

Keeping your site up to date with the latest patches and updates is a no-brainer. Although it can be an exhausting exercise if you have more than one site to maintain, the latest WordPress Core updates and Plugin Updates contain the best protection against the most current threats. If you see a message nagging you to update your WordPress core – take the 15 seconds to run the update. It will be worth the hours of time it could possibly take repairing an exploit run on outdated software.

Backup and Recovery Plan

When the shit hits the fan, it’s good to have a plan. If you watch Doomsday Preppers, you know these people have a solid, executable plan when things get ugly. The first line of defense if making sure your site is backed up. The second line is knowing what changes to make when your site has been exploited to make sure it doesn’t happen again. Start with your database. Change the actual password to your wordpress database, then work on your user account passwords. Restore your site and monitor for 24-28 hours to make sure the exploit doesnt happen again.

Most of the time, it’s a brute-force attack on a weak password. Educate your users on keeping strong passwords, and move on.


Pingdom offers a free service to monitor your site from downtime. It’s a decent front line defense – but realize your typical attack is aimed at causing nearly imperceptible disruption to your site – hijacking links or tricking your users into downloading malware – all without making it obvious your site has been hacked. Make it a weekly ritual to open up wp-config and a few other files and look for lines like this:

<?php eval(gzinflate(base64_decode(‘

They often occur at the very top of the infected page, and have to be looked at from the server side. Simply viewing the source doesn’t always show any sign of infection.

This particular infection is nasty – it’s code that has been encoded and is decoded only at the time the page is requested, often eluding standard detection techniques.

There you have it – a basic set of rules to keep your wordpress site in check. Threats nowadays are multi-faceted, and no one solution will keep you safe, but deploying as many safeguards as possible will minimize your risk of being hacked.