5 Crucial WordPress security tips

Sometimes there are just so many tips, suggestions and plugins out there it can get a little overwhelming which ones work and which do more harm than good, however as a recent mass exploit of the Pharma Hack that managed to exploit WP sites on multiple servers and hosts, mostly as a result of WP installs requiring an update, however in one case on a server i manage, a single out of date WP install being used as a gateway to to infect those that were up to date, …it would appear that if you are not taking at least some basic steps and making them part of your default install procedure, then you really should be.

From my experience these really are the basic steps you should be taking, and if you are not then you are walking a thin line which when you fall off, will not be so easy to explain to your paying clients why you were too lazy to take these basic steps.

1. Don’t use the admin account – The default user account that is created with every installation of WordPress is the admin account. Unfortunately the entire world knows this, including hackers, and can easily launch a dictionary attack on your website to try and guess your password. If a hacker already knows your username that’s half the battle. It’s highly recommended to delete or change the admin account username.

2. Move your wp-config.php file – Did you know since WordPress 2.6 you can move your wp-config.php file outside of your root WordPress directory? Most users don’t know this and the ones that do don’t do it. To do this simply move your wp-config.php file up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.

3. Change the WordPress table prefix – The WordPress table prefix is wp_ by default. You can change this prior to installing WordPress by changing the $table_prefix value in your wp-config.php file. If a hacker is able to exploit your website using SQL Injection, this will make it harder for them to guess your table names and quite possibly keep them from doing SQL Injection at all. If you want to change the table prefix after you have installed WordPress you can use the WP Security Scan plugin to do so. Make sure you take a good backup before doing this though.

4. Use Secret Keys – This is probably the most followed security tip on the list, but still I’m amazed at how many people don’t do this. A secret key is a hashing salt that is used against your password to make it even stronger. Secret keys are set in your wp-config.php file. Simply visit https://api.wordpress.org/secret-key/1.1/salt to have a set of randomly generated secret keys created for you. Copy the 4 secret keys to your wp-config.php file and save. You can add/change these keys at any time, the only thing that will happen is all current WordPress cookies will be invalidated and your users will have to log in again.

5. htaccess lockdown – Not always something you can do for clients/developers who move around but if you can, you should. Using a .htaccess file you can lockdown your wp-admin directory by IP address. This means only IP addresses you specify can access your admin dashboard URLs. This makes it impossible for anyone else to try and hack your WordPress backend. To do this simply create a file called .htaccess and add the following code to your file, replacing xxx.xxx.xxx.xxx with your IP address:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from xxx.xxx.xxx.xxx

You can add multiple “allow from”lines so make sure to add any IP addresses you plan on accessing your site from (ie Home, Office, etc). Remember most ISP use dynamic IPs so your IP address might change on occasion. If you get locked out just update your .htaccess file or delete it all together. This obviously is not a good tip if you allow open registrations as you need to allow your users access to wp-admin.

So, how many of these tips do you follow regularly?

Leave a comment...


  1. Jonathan says:

    The wp-config.php file suggests getting the secret keys from: http://api.wordpress.org/secret-key/1.1/salt (note the /salt suffix).

    Else good post; have forwarded it on to a few friends.

  2. mog says:

    this is true, …i updated my bookmarks but forgot to update the post, ..done.

    ..ah yes, ..and thank you, .. :P

  3. Mike says:

    These are some good tips. There are plenty of users who leave their sites as default who are usually the ones who get hacked.

    I have a list of some tips that I use for WordPress Security here:

  4. Great tips man. I follow all of these on every installation, but it always makes me wonder. Why doesn’t WordPress just force us to do this during setup or installation so that it becomes a non-issue.

    I think it will eventually be part of the setup or install process.

This site is not up to date. I really should take it down and make a new one as I have been busy with a lot of cool projects and clients recently, but currently do not have the time to rebuild it.

So, it stays here, but please note it has not been updated in a while and if you need to get in contact with me please just email me directly at mog@mogmachine.com or phone me on +44 (0)7960 214407.


Marcus (mog)