How to Secure Your WordPress Blog

wordpress-password-thumbnailSecuring or as some have dubbed ‘hardening’ your WordPress is important. Why? Well, it allows you to keep out hackers or if you have guest writers, you can make sure they do not take over your blog and boot you out. Also, it could help you with spammers. If you are reading this article and doing a first-time installation (for a self-hosted blog, meaning you have an account with a web host and your own domain), make sure that your web host is up-to-date on things like PHP, MySQL, Apache.

If your web host uses cPanel, then make sure that it is also up-to-date. Most web hosts will update if you ask. The up-to-date concept also extends to your WordPress. If you are not using the most current version, as well as the most current plugin versions for your WordPress site, you could be risking your site’s security. According to Matt Mullenweg during WordCamp Chicago 2009, keeping your WordPress up-to-date is the first and most important thing to do. (paraphrasing)

Here are some steps in creating a more secure WordPress.

How to Secure Your WordPress Blog – For Intermediate Users and Developers

1. Don’t use basic usernames like “admin” for your site. This is the first thing hackers try before moving onto different usernames.

2. Make a dynamic and strong password. It is best to not use an easy or common password. Sometimes with numbers and letters (both capital and lowercase) mixed together are great. It is best to write these down in a special ‘book’ of login information. Even if it might be convenient to put something you will remember, there is also those times when you may not feel well and not be able to recall your password. Yu can use the Strong Random Password Generator site to help produce a good password for you.

3. Keep your WordPress install up to date with the most current version.

4. Keep all of your plugins, code snippets, and external scripts up to date.

5. Use level privileges to specify your guest writers. Even if you think they are nice and trustworthy, sometimes the strangest things may occur like some falling out and if you do not set the user level, you will risk the integrity of the blog.

In fact, you can limit their access even further by installing the Role Manager plugin.

6. Use Askimet to help flush out the spam OR Growmap Anti-spam Plugin, also known as GASP. Also, in your WordPress settings, you can set IPs to deny, words, and such to filter out spammers.

7. Use your .htaccess file to restrict access to certain areas like wp-admin, wp-content, wp-includes, and single files like wp-config.php. These are often called Hardening WordPress and you can read more about hardening WordPress in the Codex if you desire.

In order to do this, you can write a new .htaccess file. A lot of times with automatic installers like Fantastico Deluxe, they will generate a htaccess file for you. If you are using permalinks, you will have to keep that information in your htaccess file, so if you go to your WordPress under Manage>Files>.htaccess, you can get the code to retain your permalink structure. However here is a simple one that you can put together. It protects your .htaccess file, your wp-config.php file, your directories, and a little snippet to protect yourself from spammers. Just copy and past the lines into your .htaccess file.

    Step 1. Protect Your .htaccess file itself

    order allow,deny
    deny from all

    Step 2. Protect wp-config.php

    Step 3. Disable directory browsing

    Options All -Indexes

    Step 4. Protect from comment spammers

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post.php*
    RewriteCond %{HTTP_REFERER} !.** [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Optional Hardening

Disallow and protect individual files

When you have done this, it is best when implementing anything to test your website to make sure these commands are working properly. It is also advisable before doing these updates to have a full backup.

You may even want to try blocking bad bots. In fact, Perishable Press has a great list of bad bots you can block. You just need to copy their list, and paste it into your htaccess file.

8. Try adding another login to protect the wp-login.php page (which most of you will bring up when you go to

You can also put an extra login with an Apache Login Authentication on top of your wp-login.php. While you can hide it, you can also use this method to deter bots from logging in as this method puts another log in, so if they can’t get that, then they won’t even be able to reach your wp-login.php. In order to do that:

Note This method works for those using web hosts that have cPanel.

Step 1. Create a text file and add the following to the to it.

Save as .htaccess (Note: You can also generate this at Htaccess Authentication generator)

Step 2. Create a 2nd text file. Go to the Htpasswd Generator and put in a unique username and password. This will generate a password that is hashed together using the MD5 algorithm.

Name that file .wpadmin . (Please note that if you choose to use a different file name, then it must be changed in your Step 1 of this method.)

Step 3. Load both the .htaccess and .wpadmin files to the Home Directory of your web hosting account. Instead of loading it into the public_html folder for cPanel users, load it one directory above that.

Go to your site and try to log in. You should see a login box pop up to ask you to authenticate yourself. πŸ™‚

How to Secure Your WordPress Blog – For Basic Users

If you’re not code savvy, and the above information just about scare the poo out of you, don’t worry, there are some plugins that can help! There are actually 2 really good WordPress security plugins on the market: iThemes Security (formerly known as Better WP Security) or Wordfence. Both of these plugins are not much different, but the iThemes Security Plugin does give a lot more options.


Above is a screenshot of results after a scan with iThemes Security. (You can click on it to view it larger.)

Some other features of iThemes Security are:

  • Removes the generated meta tag
  • Change the urls for WordPress backend, especially: login and admin
  • No more being logged in forever
  • Restrict access to theme, plugin, and core update notifications for roles that are not allowed
  • Does away with Windows Live Write header information
  • Does away with RSD header information
  • Renames the account name “admin” if such exists
  • Changes ID number of the ID 1 user if such exists
  • Changes the WordPress database tab prefix from wp_ to something else
  • Changes path to the wp-content foldeer
  • Locks down login
  • Bans bad bots
  • Enforces users to use stronger passwords
  • Throttles bad user agents brute force attacks

…and much more.

Please note that Wordfence doesn’t change your database tables or usernames for you. They focus more on blocking bots and providing a good scan in its basic version.

Both iThemes Security and Wordfence are very comprehensive, even with their basic free download version, and give you a cool roadmap of things you have to do in order to make your site secure. Some of the suggested fixes are things that you can even have the plugin do for you. πŸ™‚

Here are some other resources on securing your WordPress blog:

If you believe you’ve been hacked, you can do a scan of your site at Sucuri. Please do note that while Sucuri is very reputable, they have been known to produce false positives. This means that sometimes the hack may be clever enough that not even Sucuri picks up on it. Use your judgement. Or, you install a plugin like iThemes Security or Wordfence, as mentioned above. It’s probably better that you try both the Sucuri scan and the one you have. However, in rare cases, you may end up resorting to manually checking files if you have a persistent hack issue. As another note, the plugins do offer to do an option to scan your site and gives you a roadmap toward securing your site.

Don’t forget that you have the option to tell your web host that you might be hacked and ask them for a scan on the server. If you feel you may have exploited files, request a scan. They will do it because it is part of most web hosts terms. If you catch the method before them, you run less risk than them suspending you as they see that you’re being pro active about keeping your web hosting account clean and secure.

In the case that your web host find any problems, they usually quarantine the files and let you know what was infected. As a note, sometimes the host’s anti-virus scan may turn up a false positive on plugins or themes that may have encrypted code that the original developer has placed because they don’t want other developers to know the secret on how to re-produce the same functionality on another theme or plugin.

Do you have any extra suggestions that should be added?

(Updated September 3, 2013)


  1. says

    hi Nile

    Your post is it really useful to learn about securing a WordPress blog from malicious attacks. Changing the default administrator username,keeping stronger passwords and defining user-level access is definitely the first configuration any blogger must do. I’m thankful especially for those hints about the code required to tighten the security. I was using plugins to tighten the blog security, and now I hope I will be able to better configure using at the .htaccess file. Thank you for the awesome post.

    • says

      I like to use the more developer approach and not use plugins. Aside from using htaccess and robots, I also have a list to block bad bots.

  2. says

    Great tips as always Niles. I’ve been using Bulletproof Security and have had no issues (knock on wood!). I began using LastPass a few months ago and that has also helped and made me feel a bit more secure, but with the latest news about passwords being leaked for Facebook, Gmail and Twitter I’m thinking I will make it a priority to change all of my passwords before the end of the year – just in case.

    • says

      That’s great. I know that Bulletproof security plugin is not too bad and quite a few use it. I listed the 2 that I felt were the most helpful.

      I usually recommend changing passwords at the latest… every 90 days.

  3. says

    Hi Nile

    This is an great method to secure our wordpress blog which I have been hacked not able to recover my data because its been my beginning stage later, a great blogger who helped me to recover my data and thought me on how to secure the data really your post can give idea for all bloggers

  4. says

    Hello Nile! I did install the Better WP Security plugin but have never ran a scan I suppose this is something I should do HUH? I still have not updated to WordPress 3.7.1 nor any of my plug-ins for a while now!! This is a great reminder I did just write it on my To-Do List for this week Thanks for sharing.. Chery :))

    • says

      You definitely need to update your WordPress install. We are nearly at WordPress 3.8 now, and stable. Once you update everything, then do the scan. πŸ™‚

  5. kilat aryanto says

    i also use wordpress, nice post, my friends says to make password you can combinate alphabet, number and symbols. he say password with that combining will very difficult to hack.

  6. says

    Hey Nile , what a great information you have . I like this. I came here by mistake, but now , i realize its not a mistake , its my Luck . Thanks for sharing πŸ™‚

  7. says

    Thanks Nile for your post. After reading your post I have enabled Better WP security which was disabled by default when I changed my domain. The best way to prevent hackers and bots is to implement captcha on the login page.

    • says

      Actually, the best method is not to allow registration if you aren’t allowing subscribers to your blog and any authors, you should manually create. You don’t need the Captcha in place if you have a security plugin as it has things in place to lock down and block bots.

  8. says


    On one of my servers, 3 web sites were blocked last week. It seems that 2 of the sites that I don’t often use had either outdated plugins or the WP had not been updated. The hosting company did the scan, since I was unable to access the site or the cpanel.

    I am not as technically savvy as you are, and I noticed that with these security packs I also need to enable certain things. it can be confusing. My current issue is to choose a back up for my recent blog site. Any suggestions of which might be the best plugin?

    • says

      The biggest things is to keep your WordPress site, and your plugins up to date. Any plugins or themes you aren’t using, remove them.

      BackUp Buddy (paid) or Back WP Up (free) are good for backing up WordPress. Just a note though, I really only recommend having these plugins activated when you are using it… its better to just conduct the backup once or twice a week as sometimes the scheduling feature is not always honored.

  9. says

    Great.. I never actually looked at security of my blog until it was hacked last month. I appreciate the efforts you put in making this amazing post so much useful. Thank you very much πŸ™‚

  10. says

    Wordpress blogs are more vulnerable than blogger blogs that’s why we should make sure to make it more secure.
    and that’s awesome information for doing just that! πŸ™‚

    thanks for sharing such a good article do keep it up please
    Im a royal visitor to this great blog πŸ™‚

  11. says

    Terrific tips Nile! I learned the hard way a long time ago how important it is to secure your site. I was hacked and it took hours of work to get it back up and running. What a nightmare!

    I’ve used WP Security and Wordfence and since installing haven’t had a problem. It’s well worth the time to ensure your site is secure.

  12. says

    as always, so much t learn here in your blog.. it is amazing for me to just imagine al what you write about and securing the WP blog was interesting since I never thought of any of this so far hhaah πŸ™‚

    I find this info very useful to learn about how to secure the WP blog from attacks.

    I did change the passwords to something different that admin was something that some one else suggested and I done it right away… but the rest.. well, I am doing it slowly, since I can only learn some at a time.

    Thanks so much for sharing so much knowledge…and useful information.

  13. says

    Hi Nile,

    I hope your readers take your security advice seriously! I’ve been fortunate not to be hacked, but it wasn’t for lack of trying. Hackers were hitting GrowMap so much it was impacting the other sites on the server – and it is currently on the largest dedicated server at HostGator! Their brute force logging in attempts were continuous starting Friday night through Sunday. (I guess they thought they would be less likely to be stopped manually using Wordfence.)

    • says

      Gail, it was because HostGator let themselves be compromised and they took nearly a whole month to fix the problem at the hub. They also provide a level of security as required of them, but they’ve been really horrible about it.

  14. says

    Security of your blog is the first thing that matters a most. If your blog is insecure then there is no point in blogging . Wordpress blogs are the most suffered one’s to these kind of hacking attacks bloger blogs are quite secure because it’s hosted on google server. Thanks for sharing this information with us. Hope you would share contents like this more and more.

  15. says

    Great advice, Nile! A couple of tricks I use are:
    1. Use Softaculous rather than Fantastico to install WordPress, because this allows you to set the admin name to something other than “admin” and also to change the file prefix to someting other than “wp_”. Both of these inhibit hackers.
    2. I use the BulletProofSecurity plugin to manage the .htaccess file (and others). It takes a bit of setting up the first time, but is pretty secure and very easy to update.
    3. I also use the paid version of Sucuri, because even with all that some of my sites get attacked. I used the free version to try it, and then upgraded when I needed to.
    Hope this helps

  16. says

    Hi Nile,

    You have shared some “valuable” information here about blogs. I don’t think some people realize how important it is to keep you blog secure.

    Thank you again, Monna

    Have a great day.

  17. says

    Thanks for sharing these wonderful tips. As securing the Wordpress blog is a major concerns and I was not aware that we need to restrict htacess file as well. I was always thought that some plugins to secure wordpress is enough.

  18. Edward Chung says

    Thanks for the important tips on securing Wordpress websites. I have overlooked them in my implementation!

  19. Zaman says

    Hi Nile thnks for this information i had been suffering from hacking issues on my blog ,but now i updated my wp-config & htaccess file & im feeling secure

  20. says

    Every blog post should having good content and that content should briefly describing the title of that blog thanks for sharing. Just Like I wrote about Valentines day in my blog.

  21. AAmir Awan says

    This is really interesting post, you will write every point with fully detail and your site is also informative, hope i will visit it soon, keep it up…

  22. Sally says

    Can you please tell how to disable Ctrl+U button on your site so that people can view the sources code because I have seen that keywords i am using is getting copied. Is there any plugin can do that or javascript?

  23. Vinay kakumani says

    Great post…thanks for sharing the security of wordpress. if this security will spoil the SEO? this is to what i want know

  24. says

    As we know,Wordpress is the best platform and also most widely used platform to start a blog.
    So there should be security in it..
    You have shared such great security tips..I really like and now will implement on my blog.

  25. says

    Hey Nile
    Thanks for explaining us about this most valuable information, As WordPress security is the most important for bloggers and webmasters. I am using ” Better Wp security ” plugin for the security of my WordPress blog.

  26. says

    Thanks for these tips! Sometimes I get paranoid about someone hacking my site. But I’m glad that I’m already doing most of the tips here. πŸ™‚ Btw, love the color combination of your blog! <3

  27. says

    Hi Nile. Excellent tips. Sometimes plugins will want to write to the wp-config.php or they may not function properly, so I guess you have to test that out. I also use Wordfence, along with Growmap Anti Spambot Plugin, and of course Akismet. All great plugins. You can never be too careful with spam and security! All the best.

  28. says

    I am afraid playing with the htaaccess file because my whole site was destroyed because of some minor changes I made. I think a video tutorial on this would be really awesome for a non coder like me to work things out.
    Thanks mate!

  29. Nitta Roy says

    Dear Niles!
    That is wonderful article for every wordpress blog/site user. A blog that has been hacked can suffer from loss of content, stolen data and expensive downtime. Maintaining the security of our blog helps we protect our reputation and provide our visitors with the best service possible.

    Because WordPress is such a popular platform for blogging, it’s a regular target for hacking attacks launched by people who find and exploit weaknesses and vulnerabilities in websites.
    your best regards

  30. says

    I must say, I feel somewhat challenged after reading this. Except for using the latest version of WordPress, technically it’s above my pay grade, But thanks for the heads up, I will certainly speak to my web host for assistance.

  31. says

    The problem with the wordpress is that Its easy for anyone to see what type of plugins you are using by visiting the wp-content/plugins folder. To keep potential intruders from finding out the plugins that you use, you can create an empty ‘index.html’ file and place it in your plugins folder.

    Better WP Security is great plugin but its not working on multisite.

  32. says

    A better article on wp-security, Though most of my friends will still not able to implement your hacks in htaccess. Wp better security is a must have plugin for any wordpress site, what is your opinion after hardening your wordpress security and then delete wp better security plugin.

  33. Shailesh says

    Hi Nile, Nice Post written here. It is relevant. Security for a blog is very essential for now a days. we don’t know how and when hackers are attacking on our blogs or websites. So, we need to take precautions before attack someone of our blog. I would like use WP Security or WordFence Plugins on my wordpress blog. It’s free and easy to use.

    Thanks for sharing this.

  34. Britney Johnson says

    I alos want to add one thing.. I think we should not add many plugins which are less secure or useless.. and Yes you already mention it should be updated..

  35. says

    Securing your WordPress installation should be a priority now as we keep reading about hack instances all the while.

    I would recommend disabling directory browsing as this will stop anyone from snooping and seeing what files are present on your installation.

    What does protecting wp-config file will help with?

  36. says

    thanks for your tips.I will surely use those codes and make my wordpress sites safer than before.And thank you again for such a terrific blog as nowadays there are no blogs such like yours about WP-Securities.

  37. says

    I’m still on and each time I add a post I see this notification on top that asks me for a two-step authentication. I think I have askimet already. Would this be necessary?
    I’m planning to get self hosted this month so I am very glad I found your site. Great blogging resource!

    • says

      The cool thing about being on is that they do have a layer of security in place. You usually only need what they provide, their 2-step notificiation and Akisment. When you go to self-hosting, you will have to put some of these suggestions in place for your website. Oh, and I host for as low as $40 a year as well on my dedicated server. πŸ˜‰

  38. Zainul Hal says

    Great article… honestly i am a newbie, till i found this article. it interests me to more learn how to make my web more secure. thanks a lot.

  39. says

    Hi Nile,
    This such an excellent article with a lot of great tips and resources. Thank you for a very detailed write up on WordPress Security.

    By the way, I use Sucuri for protecting my WordPress and I also use their WordPress plugin to protect my installations. In that case, what I would probably like to ask you is, how do you compare Wordfence or Better WordPress security with Sucuri’s plugin and do you think what I am going is better or same or worse?

    Thank you for putting some light on this.


  40. says

    I am very happy after reading this article and liked your tips to secure the wordpress.Most of the Wp users use the admin for their username and they should avoid doing so.Password should me very precise because passwords like 123456 or abc123 is tried even my the nubs when they think they can hack someones account.Numbers & words combo is the best way to creating a rocksolid password.You mentioned about Akismet and I also prefer it as it is the most crucial and most used plugin by the Wp users and it is a proven plugin.Loved the article as you explained everything very beautifully and the image contents makes it easy to understand.

  41. Raviraj says

    Thats an awesome tutorial. Nowadays wordpress hacks are taking place very very often.. Even my blog got hacked few days back . Gonna do everything as said above. Bookmarking this
    Thanks for sucha cool article

Comment Policy: Your words are your own, so be nice and helpful if you can. Please, only use your real name, otherwise your comment will be removed. Most comments are moderated until you've been approved as a trusted commentator.

Leave a Reply

Your email address will not be published. Required fields are marked *