10 Quick Steps To Securing Your WordPress

Securing your WordPress installation. WordPress is the most popular blog software, and this makes in vulnerable to many hackers. Here are 10 quick tips to keep your WordPress safe.

1. Do not use wp_ prefix in your database

When you are installing your WordPress, you get the option to choose your own prefix, choose something else than “wp_“.

2. Change the admin user name to something else and post from a non-admin

Every hackers first guess would be “admin”, rename the admin user!

After you have renamed the default “admin” user to something else, it is recommended that you create another user for posting. This way the admin username will not be exposed when posting on your blog.

3. Add another layer of security with .htaccess password protection for /wp-admin/ folder

Use .htaccess to password protect your /wp-admin folder. Example:

AuthName "WP Admin"
AuthType Basic
AuthUserFile /full/path/to/webhotel/password_protected_folder/htpasswd
require valid-user

# This is the whitelisting of the ajax handler used by some plugins and the install css.
<Files admin-ajax.php css/install.css>
Order allow,deny
Allow from all
Satisfy any

Note: This can prevent some plugins to work (the easiest way is to test it and see if your site still works right).

There are lots of tutorials on how to set a password on a folder with .htaccess file, just search Google for “.htaccess password tutorial”.

4. Install WordPress security plugins
Check out these plugins:
– WordFence
– Secure WordPress
– WP Security Scan

5. Remove database Username and Password from your wp-config.php
If possible, create a file outside the web root and put your WordPress login details here.
If this is not possible, put the login details in a .htaccess password protected folder.

Use the PHP require function to include the WP database login details in the config file, like this:

//DB Login

6. Protect wp-config.php and .htaccess
If you use a server with .htaccess, you can put this in your .htaccess (at the very top) to deny access to anyone surfing for it:

# Strong .htaccess protection
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

# Protect wp-config.php
<Files wp-config.php>
Order Deny,Allow
Deny from All

7. Change File Permissions
It is very important that you have the proper file permissions to ensure your site’s security. I recommend that you restrict your file permissions down to the bare, CHMOD value of 644 for files and CHMOD value 755 for folders, which essentially makes it read-only to everyone except you.

Just open your FTP program and right click the folder or file and click on “File Permissions”. You should change the CHMOD value to at least 744, only giving the “owner” full access, but i recommend using 644 on files, and 755 on folders as said before.

8. Backup your files
Always keep a backup of all your WordPress files and also your database.

If something goes wrong, or your WordPress gets hacked, you got a backup.

Heres is a good guide for backing up your database.

9. Always keep ALL WordPress, plugins, themes etc. updated!
Maybe the most important tip. Always make sure the WordPress installation, and all plugins, themes, etc. are up to date.

10. Disable directory indexing
Put this line in the top of your main .htaccess to prevent directory indexing:

Options All -Indexes


Other good resources
This resource is also highly recommended to read.
Hardening WordPress