Five Steps To Make Your WordPress Installation More Secure

Five Steps To Make Your WordPress Installation More Secure

WordPress is the most commonly used content management system out there, and its open source code can make it rather simple for some to hack into. Here are a few tips you can do to beef up your security on your WordPress installation. These steps will require file access through FTP.

Before making any changes, it is highly recommended that you make a backup of your files and database, just in case an error occurs during the application of these changes.

1. Move the wp-config.php up one level

With most hosting companies, the webspace provides a specific folder for all your web files which is not the root folder for your account. Some of the most common options are public_html or httpdocs folders for your WordPress installation. The folder level above this is not accessible via web services, and can usually only be accessed via FTP or command line; and is often used for mail accounts, logs, configuration files, etc.

Showing the wp-config.php file above the httpdocs folder.

By default, WordPress will automatically look for its wp-config.php file in the main install folder, as well as one level above. So by moving your wp-config.php up above this folder, you are preventing direct access to the file from the web. This adds an extra layer of security for your database credentials and configuration.

If you cannot bring the file up one level because of the way your hosting is configured, then you should at least make sure that your wp-config.php file is set to permissions of 400 (or 440, 640, 644 if you encounter issues), and add the following lines to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all

2. Additions to the wp-config.php file

To prevent some additional functionalities, it is highly recommended that you remove the file editing option and force debug to false. Some themes and/or plugins might have some trouble with these options turned off, if that is the case for you, I would recommend that you find alternative themes/plugins.

define('DISALLOW_FILE_EDIT', true); // Disables file editing from within the WordPress back-end.
define('WP_DEBUG', false); // Forces the debug functionality to false

File editing is recommended to only be done via file management options, either FTP or from your hosting company’s administrative panel, such as cPanel. The debug option should only be set to true in a development environment for testing reasons, and should never be active in a production environment.

3. Additions to the theme’s functions.php file

To hide certain WordPress information that can be used against your installation, removing the generator and login errors are recommended.

To do this, add the following lines at the top of your theme’s functions.php (found in wp-content/themes/), above the code, but below the <?php.

function no_generator() { return ''; }
add_filter( 'the_generator', 'no_generator' );
function explain_less_login_issues(){ return '<strong>ERROR</strong>: Entered credentials are incorrect.';}
add_filter( 'login_errors', 'explain_less_login_issues' );

The built-in generator function simply outputs a meta tag in your website’s front-end to display that the website was generated by WordPress. The issue here is that it also prints out the WordPress version you are using, which can give would-be hackers a quick start.

The login errors function removes the additional details from failed login attempts and displays one basic message for all errors. By default, WordPress would point out if the error was an incorrect username or password. By disabling this feature, there is no confirmation that the username is actually valid or not.

4. Add a firewall plugin to block bad queries

Many malicious requests come in the form of web requests to built-in functions that can be used to insert new users, display passwords or alter critical configuration information of your installation. A simple option is to add a firewall plugin to block any unwanted queries. There are many free and paid options available, but one of the most popular is BBQ: Block Bad Queries.

5. Change default settings from WordPress

Some hosting companies offer a ‘quick install’ of WordPress for you and will send you the information once it’s setup. The disadvantage of many of these scripts is that some of the options remain the default. Two critical options that should be changed in the installation are the administrative username and the database table prefix.

The standard username for WordPress is ‘admin’, which makes brute force attempts relatively easy as that is usually the first username attempted. Ideally, if you are able to specify a different username at the install, you should choose something that you’ll find easy to remember but that is not generic (e.g.: administrator, manager, root, etc.). If your username is set to admin already, you can simply create a new username, grant them admin rights, log out as admin and log in as the new user, and delete the admin user. Please note that in this case, you may have to change the posts’ author if you were posting as an admin.

Lastly, the database table prefix should be set to something different than the default, which is ‘wp_’. Again, if you are able to specify this at the install level, you should choose something relatively complex which contains letters and numbers. If your installation is already completed, you can use the following free plugin to complete the change: WordPress Table Prefix Rename¬†by SEO Egghead. Once installed, you can use it to create duplicate tables with the new prefix, and change your wp-config file (if possible) to reflect this change. Again, a database backup is strongly recommended.


Once all these steps are completed, your WordPress installation will be much more secure than before, but unfortunately, will not be impregnable.

Make sure to always keep your WP version, themes, and plugins updated so that your installation includes the latest security updates and bug fixes. It is important to note that updating your theme will remove the modifications done in step #3, so you will have to add them after the update.

Should you have any issues or require any assistance in securing your website, feel free to can contact me.