With every update, WordPress improves its security capabilities and fix the vulnerabilities. As you know that the default configuration is always risky. To secure a site you always need to customize your security settings, which means apply the best security practices for your blogging platform. If you are a new WordPress user, you might go through a steep learning curve before you become concern about security. We humans do not try to learn things unless you need it or love it -everybody thinks about user experience. However, nobody trusts a site that get hacked frequently. This post you will illustrate you how to apply the WordPress security settings and practices to make your site secured. You can easily implement the following instructions from your cPanel, Plesk or any other control panels.
- Always create an administrative account for blog management, and another editing account (with posting privilege only) to add post in your blog
- By default WordPress use the path www.yourwebiste.com/wp-admin.php to login to your blog. Since the attackers are aware of this you can rename this path by using a plug-in called stealth login. This is an excellent way to prevent automated attack against your blog. Though there are plugins in place to modify the login page, but it is better and more effective if you can change your login page with htaccess. Remember that Modification of htaccess file is not advisable for the beginners.
Security Plugins to leverage your WP security check
By using WSD security plugin you can improve some aspects of WordPress security automatically. WSD is a free plugin and its works well. After installing and activation this plugin click on the WSD security bar on the left side of WordPress admin dashboard and check if you need to modify any settings. Normally, all the settings are very simple and you will be given detailed instruction what to do. To check your directory permission status click on the “scanner”; if there is any file permission with high privilege, you can see it straight away. In general this plugin check the following settings:
- If you have the latest version of WordPress installed
- SQL table prefix check. If you are still using the default prefix (wp- ) then you can change it right from your dashboard
- If your WP version number is hidden or not
- Checking of DB Errors features turned off or on
- If you have already renamed the admin user
- Whether your wp-admin folder has .htaccess file
Normally, you do not need htaccess file but if you want to enable URL rewrite rule for clean url you need it on your WordPress installation. It is also used for restriction directory browsing permissions. Under the public_html you will see one htaccess file. You just have to make sure this file is hidden to the outside world and for that htaccess should have a dot (.) before it. So, if your htaccess does not have any dot before it then edit it by making it looks like .htaccess not htaccess-that is all you need to hide it. Also remember to check the htaccess permission-ideally it should be 644. All the important folders (wp-admin, wp-content, wp-includes) need to have minimum permission set to 0755, not more than that.
Secure wp-content and wp-includes folder
If you have not block directory browsing option in your wp-content and wp-includes you can do so by creating an .haccess file. In your PC open a text file and put only the following text in it.
Options –Indexes
Now, rename this text file as .htaccess and upload it to your wp-content and wp-includes folder in your web server. Alternatively you can block it from panel; go to the index manager form the advanced section of your panel and then click on public_html folder name-wp-content-and then select “no indexing” ; the same way select the no indexing for the wp-includes, wp-content, wp-content/plugins, wp-content/themes
Note: if you put the URL- www.yoursitename.com/wp-includes in your web browser and if you see that a list of directories is visible to your web browser you will know the you have not block directory browsing. The risk with directory browsing is that it lets the attacker know what plugins and its version you are using with you WP.
After implementing the “no indexing” to your directory, test that if it is working or not. To do so just paste the following URL in your browser. If nothing comes up then you have successfully implemented one more layer of security to your directory. The urls are
www.yourwebsitename.com/wp-includes
www.yourwebsitename.com/wp-content
www.yourwebsitename.com/wp-content/plugins
www.yourwebsitename.com/wp-content/themes
www.yourwebsitename.com/wp-content/uploads
Remember to replace the “yourwebsitename” with your own domain name.
Another easy way to stop people seeing your web directories are to make a blank index.html file and upload it to a folder that you want prevent indexing. For example you want that people will see a blank page instead of your directory listing when they will type “www.yourblogname.com/wp-content/plugins, then just upload a blank index.html file by FTP to your wp-content/plugins folder.But this method of preventing directory listing does not apply to the sub-folders.So, htaccess file modification is the best way to implement complete prevention of listing a directory with all its sub-folders.
Protect your WP-Config file
This file is located in public_html. Paste the following lines in your htaccess file in root of your web server to secure the htaccess and wp-config.php file.
# Protect .htaccess files
<Files .htaccess>
order allow,deny
deny from all
</Files>
# Protect wp-config.php
<FilesMatch ^wp-config.php$>
deny from all
</FilesMatch>
After adding the above files, make sure your blog being crawled by the search engines on regular basis.If you already have a wordpress sitemap, then you can check the list of folders in the non-indexing mode by going at:
http://www.yoursite.com/robots.txt
For your information by saying the root of web directory I mean the folder called public_html.so, you need to put the above code in the htaccess file just before end of the # END WordPress or below the </IfModule>.
Set the file permission to 644: you can easily change it from the Cpanel file manager option.
You can find more information about securing htaccess at
Another important modification you can do with wp-config.php is to change the secret keys.Changing these keys has no negative effect on your blog expect it will deactivate all the existing cookies in your users computer and force them to login your your blog once again if they were logged in to your site while you are implementing these secret codes modification. You can generate auto-codes at: https://api.wordpress.org/secret-key/1.1/salt/ and remember there are total 8 keys- you can either replace them all or at least the last four that ends with the extension _SALT.
You can also consider to move this wp-config file from your WordPress root folder (public_html) to the upper level folder. this will not affect any thing but enhancing your wp security.and the good thing about this is that you do not have to change anything for this-just copy it and move it. WordPress it will automatically sense its relocation.for instance you can move this file to your home ( starting with a / ) directory.
Protect WP-Admin folder
Add a htaccess file this folder with the following code
Options -Indexes
And you can think about using AskApache Password Protection for directory: wp-admin, wp-includes, wp-content etc.
Check the code for search.php
Almost every website or blog allow its users to search for contents. You just have to make sure that you are only allowing your contents to be searched. Never allow search the entire server. To make your search secure, go to the search.php code and look for the following code:
php bloginfo(‘home’)
If the code is as it is give above then your search form is secure. But if there are any code such as <?php echo $_SERVER [‘PHP_SELF’]; ?> , then remove it and replace this code with <?php bloginfo (‘home’); ?>
Make Sure you’ve deleted the WordPress version information
Normally, in the header.php file you will see the following code, which show the version number of your blog.
<meta content=”WordPress <?php bloginfo(‘version’);
In order to not showing your WP version just delete the above line or simply delete the bloginfo(‘version’).
Admin account
You can either rename or delete the admin account. At first create an account with any name and give it the administrative privileges. Next, just delete the admin account. In addition you can create an account with user name admin and give it fewer privileges in order to mislead the attacker. For allowing only a specific range of IP to access the admin account you can use a plug-in called WP Login Security. This allows only the approved IP have the login to your admin account.
Finally, WordPress has such a wide range of plugins with irresistible functionality that bloggers quite often tempt to install and activate them without checking the security history of the plugins. Only install the plugins that has no reported security flaws. Always remember that the most of the security breach comes from within, so when you concern about your site security try to talk to your hosting service provider and search Google for new security vulnerabilities.
