WordPress is one of the most ubiquitous content management systems in the world. Even better, it’s open source! However, as an open source piece of software, it can be vulnerable to malicious individuals digging through code and finding vulnerabilities in the code, which they attempt to exploit. As such, WordPress sites have been prone to security breaches and being hacked, and having your WordPress site hacked can be damaging to your reputation and your business. At Themify, we often hear about WordPress security issues from members, thus it inspired us to share this article.

Stay Updated

WordPress itself constantly badgers you about new updates that are available for WordPress – dont ignore these! Its vital that you stay up to date on your WordPress installs, themes, and plugins to ensure that any existing vulnerabilities have been patched up.

WordPress will display the update notifications as soon as you login, Themify shows you notifications on the Themify admin panel, and other plugins and themes should have something similar. Keep updating your files and stay up to date!

Remove Inactive / Old Themes and Plugins

WordPress Themes and plugins that are installed on your WordPress website, but are currently inactive or old versions are security risks: they may not be the most up to date and have security holes that malicious attacks can take advantage of.

Your best bet is to remove any themes and plugins that you are not currently using and stick with what you need.

Disable the Theme / Plugin Editor

Intruders who are able to guess your admin login and password are able to access your theme or plugin files and insert their own malicious code. For example, they can replace a template file into a PHP uploader and upload more files or change file permissions without your knowledge.

Disabling the built-in Theme and Plugin text editor inside of WordPress ensures that these intruders arent able to modify your Theme or Plugin code in any way.

In the directory that youve installed WordPress into, you will find a file called wp-config.php, and you will need to add the following code into that file:

/* disable theme editor and plugin editor */
define( 'DISALLOW_FILE_EDIT', true );
define( 'DISALLOW_FILE_MODS', true );

Once disabled, you should no longer be able to edit files inside of the WordPress admin panel.

Protect Your .htaccess File

Your .htaccess file acts like the gatekeeper for your websites figurative guts. It allows you to control permissions of files, meaning you can determine who has access to specific files or file types. Its a hidden file that sits in the root directory of your website, and youll need to show hidden files in order to be able to access it.

Once you are able to edit it, add this to the file:

# protect .htaccess file
<Files ~ "^.*\.([Hh][Tt][Aa])">
 order allow,deny
 deny from all
 satisfy all
</Files>

This will ensure that no one from the outside world can access your .htaccess file, protecting yourself from intruders who attempt to change file permissions on your website.

Disable Directory Listing

While youre inside of .htaccess, you might as well disable the ability to get directory listings from your WordPress install.

Directory listings are used to see all of the contents of folders, and are often used to look at websites as a whole. However, being able to see them is not good, as it usually means its exposed to the public, meaning that people can search for vulnerable files and exploit security holes.

You must be editing the root .htaccess (the one for your entire website install) of your website, and you need to add this:

Options -Indexes

This will restrict the ability for anyone and everyone from being able to list the contents of your website, making it that much harder to find vulnerable files.

Protect the wp-config.php File

Another fun thing to add to your .htaccess file, since youve been inside of it for the previous two!

Your wp-config.php file contains a lot of information that can be very sensitive, should someone ever gain access to it. Things like your database username and password, which is essentially your WordPress websites lifeline.

The WordPress website database can be protected by ensuring the wp-config.php file is locked down and secured. Add this to your .htaccess file:

# protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

As with everything else, this code prevents outside, public access for wp-config.php, ensuring that your very sensitive data is relatively secure!

Prevent wp-login.php From Being Accessed by Unknown IPs

If you havent guessed yet, this is another fun trick done by editing the .htaccess file. The file, wp-login.php, is the gatekeeper to your WordPress admin panel. By default, you can access this page from anywhere and everywhere, which is convenient, but also a huge security risk.

Using .htaccess, a list of IPs can be created that are allowed access, commonly referred to as a whitelist, to prevent non-known IPs from attempting password guesses.

Inside the root folders .htaccess, add this code:

<files wp-login.php>
order deny,allow
deny from all

# static IP
allow from xxx.xxx.xxx.xxx

# dynamic IP
allow from xxx.xxx.xxx.0/8
allow from xxx.xxx.0.0/8
</files>

Fill in your actual IPs in place of the x-placeholders. If you know your actual IP, stick with static (just be sure to update it, should it change!) or use dynamic if you need to allow a range of IPs. There are a multitude of websites that will give you your exact IP address, and they are a quick search away.

Prevent wp-admin From Being Accessed by Unknown IPs

The protection levels of ‘wp-login.php’ through an IP whitelist can be doubled by creating the same whitelist for the wp-admin folder inside of the WordPress directory. Add this code to your .htaccess file to prevent non-known IPs from accessing your wp-admin folder:

<LIMIT GET>
order deny,allow
deny from all

# static IP
allow from xxx.xxx.xxx.xxx

# dynamic IP
allow from xxx.xxx.xxx.0/8
allow from xxx.xxx.0.0/8

</LIMIT>

Deny Executable Files Like .exe Extension

Executable files are trouble – they will often contain malicious code that can install worms and virus on user’s computer. These can be blocked, of course, using .htaccess!

Add this to your .htaccess file:

# deny all .exe files
<files "*.exe">
order deny,allow 
deny from all 
</files>

This, like the other code, prevents any and all .exe files from being access on the server, ensuring that you steer well away from those troublesome executables.

Add a Firewall

Much like the .htaccess whitelist, allowing only known IPs access to wp-login.php, a firewall will only allow known IPs to access your FTP server. This is something that you will have to contact your website hosting provider to set up.

Additional Plugin Recommendations

Acunetix WP Security
Login LockDown
AskApache Password Protect

Conclusion

Website security is typically the last thing on the minds of website owners, but priorities should be raised on website security to keep WordPress sites safe and secure. The above list is a solid start, and hopefully useful.

References

48 Comments

Webbing
Dec 3, 2013 at 4:22 pm

this is a solid compilation and extremely helpful, thank you

axiu
Dec 3, 2013 at 7:55 pm

Nice tips, useful for the website security.

Ryan
Dec 3, 2013 at 10:00 pm

Another great WordPress plugin is: Limit Login Attempts
It automatically blocks someone after they try to login numerous times.

Ryan
Dec 16, 2013 at 11:48 pm

Lately the brute force attacks on the wordpress login page has increased, and plugins like “Limit Login Attempts” don’t help as much. This is because the attacks are spread out over many different IPs.
A good solution for this type of attacks is to lock down the wp-login.php file and wp-admin directory like Nick mentioned with .htaccess.

Philippe
Dec 4, 2013 at 2:16 am

Typo on “Deny Executable Files Like .exe Extension”:
# deny all .exe files
> <———-

Steve Ambielli
Dec 4, 2013 at 10:11 am

Nice tips. I already use some of these and the others I will incorporate.

Gary
Dec 5, 2013 at 6:07 am

It’s great that you recommend to delete old and inactive plugins and themes. It is so simple to do and yet, although many people deactivate unused plugins/themes, they don’t delete them.

Victoria
Dec 5, 2013 at 11:27 pm

Great tips.Thanks a lot for mentioning the code here.Keep updating.

Tim
Dec 6, 2013 at 9:40 am

Great tips. Might want to correct that typo in the EXE blocking bit:

>

That second “>” will cause a server error.

Nick La
Dec 9, 2013 at 9:35 pm

Thanks. It is fixed now.

Arianna
Dec 9, 2013 at 2:14 am

Thanks for sharing these wonderful tips with us. Honestly speaking these tips are really very hard to find anywhere online.
Thanks
http://www.61DesignStreet.com

Barry Reynolds
Dec 10, 2013 at 10:12 am

Thanks for this inside information which almost acts like a mini-tutorial. Easily applicable and very useful.

Fergus
Dec 12, 2013 at 9:46 am

The tips you have shared are really useful and simple to understand. People who have WordPress sites, they need to make sure its protection in each way.

Micah
Dec 12, 2013 at 5:50 pm

I have found a plugin which enables all of this and more and highly recommend it.
http://wordpress.org/plugins/better-wp-security/

Patrick
Dec 13, 2013 at 1:45 am

Thanks for sharing the tips. When using Better WP Security, we have be careful with certain feature, some feature take much of virtual memory and result a site down.

Marcel
Dec 14, 2013 at 5:19 am

Thanks dor sharing this tips. Most of them missed on my blog :-)

Gio
Dec 14, 2013 at 7:29 pm

Thanks! I’m just starting with my site and I really need this. There’s a lot to learn.

Joshua Jacoby
Dec 17, 2013 at 6:48 am

First, best post ever on WP security. Many of the security plugins are memory hogs, and when you run multiple domains this becomes a big, big issue, these WordPress security solutions using .htaccess are great.

That is a great point @Patrick! with better wp security you cannot use file detection without consuming a lot of memory, and even 404 monitoring can really take a lot of memory. I would also mention that you need to be sure your firewalls and security are set to allow (whitelist) the google IP range – I wrote a post about some of the SEO pitfalls that can come up with certain plugins: http://myfavoritewebdesigns.com/wordpress-seo/3-types-of-wordpress-plugins-that-can-hurt-your-seo/

Asif Ameer
Dec 17, 2013 at 3:17 pm

Well thats like a mini tutorial , thanks for putting it together really appreciate that. I hope now i am gonna improve little but of my expertise hehe.

Jeric
Dec 18, 2013 at 2:28 am

I’ve read similar post like this before but I can still remember the tip provided their about having a long password. :D

Amy Jasmine
Dec 18, 2013 at 3:10 am

Incredible Tips to protect WordPress sites! As usual you just rock in producing excellent blog and the codes are very useful.

Website design
Dec 18, 2013 at 4:03 am

Thanks for the informative post. I have heard that there are WordPress plugins that make your site vulnerable to hacking. Is this true? can you provide a few examples?

Leo Paulson
Dec 18, 2013 at 6:51 am

This is more than useful information that you have shared here. I love WordPress and I probably don’t see myself using another CMS anytime soon so I really appreciate these tips and I am going to implement them. I tried out Better WP security Plugin a while ago and it was also impressive for those who don’t want to fiddle with WP files.

Ghost
Jan 19, 2014 at 12:28 pm

I agree with you. I also use Better WP security Plugin for my security. But thank you WDW for your post. I learned some new things that will hep me in my next project.

Mystik Creation
Dec 19, 2013 at 4:56 am

Interesting and acceptable tips which must consider while in security concern about WordPress site. As today, It’s more challenging to be secure and protect online business from any external attack. So be ready to protect your WordPress site by following above mentioned tips.

Lydie Baillie Parisot
Dec 19, 2013 at 9:55 am

Great information to help fend off hacker intrusion. Clients often disregard even the basics like updating as something they believe optional and without consequence. For that reason, security and the importance of updates are something we address with clients at website delivery presentations. It’s so critical with WordPress that some hosting companies will actually shut a WP website down over this issue.

Theo
Dec 19, 2013 at 2:37 pm

Great tips! I would also recommend Jeff Starr’s “Block Bad Queries” http://wordpress.org/plugins/block-bad-queries/ Thank you.

Dale Little
Dec 20, 2013 at 1:19 am

Thanks for the best tips for WP Security. Keep updating your blog.

Reddy Rk
Dec 20, 2013 at 12:02 pm

Ow Man… You always Cool Tip.. Really many thank’s

Keith Davis
Dec 27, 2013 at 2:20 pm

Great overview of WordPress security.
I use a combination of free and paid WordPress plugins for security including the one that @Theo recommends “Block Bad Queries”
My paid plugin is Sucuri.

Dallas Designs
Jan 2, 2014 at 5:28 am

Its perfect solution but can you please tell me how i can secure my payments issue? because may be some time i am hiring admin for few necessary work so i want to know more solutions about it.
Also thanks for sharing this awesome information keep it continue

R.
Jan 2, 2014 at 2:53 pm

I’ve used the technique to whitelist specific IPs, but the problem comes in when my clients aren’t using static IPs, or try to edit their website when they are travelling. It’s not ideal because then you have to keep updating the whitelist with the new IPs, and the clients get frustrated because they can’t access their website. Is there any way around that? I mean, I think the other security measures are really good, but whitelisting just seems to cause problems and frustrations so I don’t use it for client websites.

Mat
Jan 5, 2014 at 11:18 am

Hi, first of all thanks for the article.
But I have an issue with one of your suggestions. When I try to add the “Options -Indexes” code line to my .htaccess file, no matter where I put it, I always get a 500 server error and I cannot access the website neither the wordpress dashboard. Any idea why could cause the problem?
Thanks

Melikhan Mutlu
Jan 8, 2014 at 10:07 am

Thanks for sharing to protect our websites

Jeff
Jan 10, 2014 at 11:51 am

Hi, great details you have provided us. I was fed up about attaining the complete information with such coding details.
Thank you for solving my problem.

Sue
Jan 15, 2014 at 5:27 pm

Thanks Nick, for such an informative post on WordPress security. Since so many sites these days are built using WordPress, it tends to be vulnerable to attacks.

Digiwebpro
Jan 15, 2014 at 7:21 pm

Thanks, but how to test the security of WP ?

Agency Fusion
Jan 15, 2014 at 7:43 pm

Great advice. Every blog owner (new and old) should read this. :) Sadly, most blog owners who run into WordPress security problems have to learn the hard way.

Adil Meo
Jan 19, 2014 at 4:55 am

bundle of thanks for this security tips :)

James Morrison
Jan 21, 2014 at 1:08 am

What the best thing i like about this post is that you have provided the code snippets for direct usage. Otherwise I have to search for these and spend some more time on each one. I used to work on many WordPress sites simultaneously, and so this information is really a beneficial one for me for effective working.

Kim
Jan 21, 2014 at 6:32 am

Thank you for sharing. Especially the whitelisting of IP-addresses is useful for me as I often work from very different locations and therefore change IP-address often. I love WordPress, though I know other systems are even more flexible, but WordPress saves time with all the plugins and is not entirely for geeks.

Boca website designer
Jan 21, 2014 at 8:10 am

Nowadays everyone wants their sites more protective and secured and your tips and points for making a wordpress website secured are awesome and the coding which you have written in this article is really useful and helpful for everyone.

Mike
Jan 22, 2014 at 4:48 am

Thanks Nick. I had no idea that old inactive themes were a risk.

Janice Schwarz
Jan 23, 2014 at 10:04 am

I’m a fan of the plugin BulletProof Security, which handles the .htaccess issues for me. A few clicks, and it’s configured. I’ve used it for every WordPress site for a couple of years now with no problems.

Jack @ Buoyancy Media
Jan 23, 2014 at 11:30 am

Great tutorial, It`s a pain sometimes trying to protecting WordPress from hackers and spammers. I will bookmark this page for future reference, Thanks!

çizgi film
Jan 26, 2014 at 4:26 pm

Interesting and acceptable tips which must consider while in security concern about WordPress site. As today, It’s more challenging to be secure and protect online business from any external attack. So be ready to protect your WordPress site by following above mentioned tips.

Sabrina
Jan 29, 2014 at 1:48 pm

Nick, this may be a bad question… But do you have to re-upload these files (wp-config.php and hta.access) with the new security code everytime WordPress does an update? Don’t they overwrite files? Thanks!

Alan
Jan 31, 2014 at 12:42 am

Great, Actually was searching solution for this “Deny Executable Files Like .exe Extension”

Found it … thanks!

Post Comment or Questions

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.