How To Secure WordPress – WordPress Security

Wordpress SecurityAfter 8 months of silence, after 8 months of bathing in champagne and after 8 months of lying around various majestic worldwide beaches, I decided that it was time. Time for a new post, an eye opener to many, a grand piece of art, THE RETURN OF SHAREASCHNITZEL. Right. Enough foolishness, lets cut to the chase. You’re not here to read my failed attempts at humorous entrances, but because you want to know how to secure your wordpress and make it impossible for a hacker to gain the key to your website’s back-end. The later is, unfortunately impossible. If a hero of the 01000100’s picks your website as the prime target, you will not stand a chance.

However, with this guide you will be able to keep most of the script kiddies outside your perimeter and minimize the chances of your wordpress being hacked, to a minimum. I, by no means claim to be an expert in wordpress security, but HAVE seen how my websites became a playground for:

  • cloaking
  • sneaky redirects
  • injected links
  • infected viruses and malware scripts
  • clickjacking
  • various sql injections

On some occasions my websites were completely erased and replaced with adult content. As an after effect of any of those above actions my websites lost rankings, became flagged as websites containing malware/virus and even became de-indexed. Financial loss was measured in thousands upon thousands. A matter that is to be taken quite serious. You need to employ any and all appropriate counter measures as quickly as possible. Before you begin to make any of the changes, make a backup. If you don’t know how, scroll below.


It’s wise to lock down your files and directories as much as possible. All files except wp-config.php and the wp-content directory should only be writable by you.

  • CHMOD – All files to 644
  • CHMOD – All directories to 755
  • CHMOD – wpconfig.php to 750
  • CHMOD – wp-content/ varies. If your users or plugins require to upload, edit or otherwise change anything in that folder, you will need to manually assign a proper numerical value to each file/directory. Ideally you would use 644 here too if your cirumstances allow it. Note that while your permissions are at 644, some things may not work correctly like updating plugins. If you need to modify something change it to 777, but as soon as you’re done with your modifications revert it back to 644.


If you have multiple wordpress installations on the same hosting server, it’s wise to keep your database username and password unique for every wordpress installation. If a reverse engineer obtained user access to one of your websites, and your login credentials are all the same for your other websites, you may potentially experience damage on a much bigger scale. Keep your login details separate.


1) Exploit Scanner

This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames. It does not remove anything. That is left to the user to do.

2) Secure WordPress

Secure WordPress beefs up the security of your WordPress installation by removing error information on login pages, adds index.html to plugin directories, hides the WordPress version and much more.

  • Removes error-information on login-page
  • Adds index.php plugin-directory (virtual)
  • Removes the wp-version, except in admin-area
  • Removes Really Simple Discovery
  • Removes Windows Live Writer
  • Removes core update information for non-admins
  • Removes plugin-update information for non-admins
  • Removes theme-update information for non-admins (only WP 2.8 and higher)
  • Hides wp-version in backend-dashboard for non-admins
  • Removes version on URLs from scripts and stylesheets only on frontend
  • Blocks any bad queries that could be harmful to your WordPress website

3) WordPress Firewall

This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. There are a few powerful, generic modules that do this; but they’re not always installed on web servers, and usually difficult to configure. This plugin intelligently whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.

4) Block Bad Queries

Block Bad Queries (BBQ) helps protect WordPress Against Malicious URL Requests. BBQ checks for excessively long request strings (i.e., greater than 255 characters), as well as the presence of either “eval(” or “base64” in the request URI.

5) Login Lock

  • Login Lock provides a number of security enhancing features:
  • Enforces strong password selection policies.
  • Monitors login attempts.
  • Blocks IP addresses for too many failed login attempts.
  • Lets you manually unblock IP addresses at any time.
  • Lets you forcibly log out all users immediately and require that they all change their passwords before logging back in.
  • Lets you forcibly log out idle users after a configurable number of minutes.

6) AskApache Password Protect (OPTIONAL)

This plugin is optional and for advanced users only, because you may lock yourself out of your wordpress panel for example. If however, you feel comfortable with playing around I would suggest you use it because it adds yet another layer of protection to your ever more secure wordpress.

AskApache Password Protect doesn’t control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site.


Improve your wp-config.php security by inserting authentication unique keys and salts. These security keys will help encrypt the information that are stored by cookies. This information helps WordPress identify your PC as the one that is currently logged in as a certain user. If your WordPress cookies are intercepted by a hacker, the obfuscated cookie will prove as an efficient way to block the hackers way to your administrator back-end. Insert this code anywhere in your wp-config.php. I usually insert it right at the beginning, above mysql settings. DO NOT USE THESE SAME KEYS AS BELOW. Visit this link to automatically get a random set of these keys.

define('AUTH_KEY',         '_@*#^I:E');
define('SECURE_AUTH_KEY',  '6YF0UH`Y');
define('LOGGED_IN_KEY',    'yuM{IAjT');
define('NONCE_KEY',        '3=kz9=1N');
define('AUTH_SALT',        '#+Cc@48R');


Bruteforce Attack is an attempt to obtain secret information by applying a wide range of user/pass possibilites. These attempts can quite easily be spotted by checking your log files for a series of failed login attempts. To significantly minimize all chances of a succesful bruteforce attack, download the login lock plugin mentioned above. Set it up to restrict the number of login attempts and block an IP address if there were too many failed login attempts.

It’s wise that you choose a strong password with unusual symbols like these for example: !@#%^&*+_)-=\][‘;}{. It’s even more important to choose a proper username. Bruteforce attacks are usually targeted towards usernames like “admin”, “administrator”, “root”. Select a different username for better security. You can’t change this setting inside the wordpress administration panel. To change it you must go to your mysql tool (phpmyadmin), find your wordpress database, select wp_users (wp prefix may differ if you have changed it), click on the browse icon and locate admin. Then change the “admin” under the user_login column.

CREATE AN .htaccess FILE IN “wp-admin/”

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Save the file as .htaccess and upload it to your “wp-admin/” folder

Using htaccess to Prevent Hacking

Use .htaccess to prevent some common hacking techniques and increase the security of your website.

RewriteEngine On

# No web server version and indexes
ServerSignature Off
Options -Indexes

# Block suspicious request methods
RewriteRule ^(.*)$ - [F,L]

# Block suspicious user agents and requests
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]

# Block MySQL injections, RFI, base64, etc.
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]

# Strong htaccess protection
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

Save the file as .htaccess and upload it to your root folder


This has been repeated in thousands of other pages acros the web for a reason. If you don’t keep your backups, you may completely lose your websites and all the work you have done, especially if your property was hacked. You can easily backup your wordpress with the most advanced and most simple plugin called EZPZ One Click Backup. You can also do it manually. Regularly check if your websites are online and/or if something suspicious is going on.


If your website is already hacked, and because you’re reading an article on wordpress security, chances are that your website is already compromised. In order to get rid of the malicious code or the attacker first thing you need to do is TAKE DOWN YOUR BLOG. You need to do this because most of these hacks are executed with scripts, attached to many files in your installation. A user who’s surfing your website might thus unawarely execute the script just by loading a page of yours. The easiest thing to do is create a .maintenance file in your wordpress root and write down why your website is down at the moment. You don’t need to upset your visitors by telling them you’ve been hacked. Simply tell them that you’re in maintenance and that you’ll be back in a short while. You could also rename the index.php file and create a new index.php file, again notifying your web visitors of the situation.

Employ all of the above steps, run each plugin. Then change your wordpress, mysql and hosting’s username and password. Look at your header and footer files for any suspicious code, javascripts, unusual inserts, links. Then, if you are sure that you completely removed the threat, put your website back online. If you’ve done everything and the website still contains malicious code, then you will most likely have to do a clean install of your wordpress again.


Add your websites to google’s webmaster tools and check for keyword significance, crawl errors and malware reports. If keyword significance reports unusual pharma, adult or similar spam words, your websites have been hacked (cloacked), but you don’t see it because to you your page appears normal, but to search engines like google the content appears different. Fetch your website as google bot (inside google webmaster tools) and see if someone clocked your website to appear different to the google bot as it appears to you. Also type your website name into google, bing and yahoo, see the cached version and look for anything suspicious.


NOTE: If you know or have something to add to this topic, please do so. I will update it accordingly.

Did you like this? Share it:

9 thoughts on “How To Secure WordPress – WordPress Security”

  1. This is a great list of things to do to secure your WordPress site…

    I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…

    I have now written up my experiences in a WordPress Security Checklist which can be downloaded for free on

    My checklist has a few more items and detailed steps for how to get the job done.

    Hopefully the checklist can help other people securing their WordPress sites…

  2. good post so far, – as I have found out by just trying it the ‘CHMOD – wpconfig.php to 750’ can also be lowered down much more to 440 as it is enough to be readable for the owner and the group.
    also you can also protect it more by adding:
    # wp-config- protect

    order allow,deny
    deny from all

    to your root htaccess – would be interesting if this works on all webhosts, or are some out there that will not allow htaccess -control

Leave a Comment