WordPress Security: Tips to secure your WordPress website.

wordpress security

In a previous article, we talked about how to make WordPress website to load faster.  If you missed it you can read it here: Tips You Should Use to Speed Up Your WordPress Site

Today’s topic is – WordPress security.

When it comes to security, it’s very well known that WordPress sites are notoriously lacking, especially because people use plug-ins with questionable security or because developers have a poor security expertise when designing these plugins.

Given the fact that 74.6 Million Sites Depend on WordPress, it shouldn’t come as a surprise that they’re one of the hottest targets for both script kiddies and experienced hackers. In fact, in 2013 alone about 90,000 WordPress websites have been hijacked for use in a botnet. You can read more on it here: WordPress Sites Targeted by Mass Brute-force Botnet Attack.

On top of that, WordPress websites are also known to be a popular target for malware. Because of these severe issues, we’ve decided to make some effort in order to come up with a few methods that can be used for addressing these basic security malpractices or holes that are present in the vast majority of WordPress websites.

Running the Latest Version of WordPress

The first and most important thing to do when it comes to using any type of software on your website is to ensure that you’re running the latest version. The truth is that more than 80%  of WordPress installations currently use outdated versions, so that’s why updating your WordPress website is so important to improve security.

Not only do WordPress updates bring in new features, but they also fix security issues and bugs to make it harder for hackers to exploit website’s vulnerabilities. Luckily automatic background updates were introduced in WordPress 3.7 in an effort to promote better security.  By default, every site has automatic updates enabled for minor core releases and translation files. You can read more on it here: Configuring Automatic Background Updates

Running the Latest Versions of Plugins and Themes

Even if you do have the latest version of WordPress, that’s not enough, since your website’s themes and plugins can still contain various vulnerabilities that can compromise your website. One good example in this regard is the Slider Revolution plug-in which can easily compromise your WordPress website’s security. Sold on the Envato Market, the Slider Revolution is currently used on millions of WordPress websites and it makes it easy for hackers to steal database credentials which can then lead to the total compromise of your WordPress site through its database.

You can lunch the URL below to check if you site is vulnerable for the LFI attack. Just replace the victim.com with your domain name.


This is used to steal the database credentials by downloading the wp-config.php file via web browser, which then allows you to compromise the website via the database. This type of vulnerability is known as a Local File Inclusion (LFI) attack. If you have Slider Revolution installed make sure you update it to the latest version. You can read more on it here: Hackers exploit critical vulnerability in popular WordPress theme component

If for some reasons you can’t update the slider you can block access to the wp-config.php file in your .htaccess file by adding 2 lines below:

RewriteCond %{QUERY_STRING} wp-config.php [NC]
RewriteRule ^(.*)$ index.php [F,L]

Even if your WordPress themes, plug-ins and installation are up to date, that doesn’t mean your website is 100% safe against attacks. Therefore, it’s important that you only choose to install plugins that you need and never plugins that you know little about and could very well compromise your website’s security.

Be selective when using the types of themes and plugins to use. Before you install a theme or a plug-in, make sure to research on it. It’s also important to check the number of downloads the theme or plug-in has and the last time its authors updated it. If the plug-in has many updates and downloads, then that’s a good sign it’s actively maintained by the authors, so if any security flaws are found, they’re going to be fixed immediately.

 Restrict Access to wp-admin Directory

If you want to make it harder for hackers to guess your users’ passwords, then it’s important to password protect your WordPress admin area by using HTTP authentication. In the event your users’ passwords are stolen by attackers, they won’t be able to access the WordPress login form unless they get past the HTTP authentication.

Basic HTTP Authentication

It’s important to take note that standard HTTP Authentication demands that passphrases are sent over the network as standard text. Because of that, it’s very important that you use HTTPS for the purpose of encrypting the data transfer.

If you have an Apache HTTP Server, you can easily do this if you create a .htpasswd file.

In order to password protect content, there are a few directives we must become familiar with. One of these directives in the .htaccess file ( the AuthUserFile directive ) tells the Apache web server where to look to find the username/password pairs.

Instead of directives, the .htpasswd file contains username/password pairs. The password will be stored in encrypted form and the username will be in plaintext.

This file contains combinations of password and usernames hashes that will be used by the server for the purpose of authenticating users. A .htpasswd file can be created by using an Htpasswd Generator 

You can create a new.htpasswd by running the command below. After running it, a new .htpasswd file will be created at /srv/auth/.htpasswd. The username in this case will be “myuser”. After doing so, you’ll be prompted to enter your pass and then confirm it.

htpasswd -c /var/www/.htpasswd myuser

Note: Make sure that your .htpasswd files are not stored in a directory that can be accessed via the internet.

If you’d like to allow for standard HTTP authentication on the wordpress admin area, it’s necessary that you activate the functions below on the wp-admin directory. To do that create .htaccess file inside the wp-admin directory and copy and paste the lines below:

AuthType Basic AuthUserFile /var/www/.htpasswd
AuthName “WordPress Authenticated area.”
Require valid-user

The AuthType directive specifies the type of authentication type. In our case, we’re configuring Basic authentication.

The AuthUserFile directive defines the complete path to the .htpasswd file. This is going to be used for the purpose of storing password hashes that will eventually be used by the server for authenticating anyone connecting to it.

The AuthName directive includes an arbitrary message which the user is going to be welcomed with upon successful authentication.

Prevent Log files from downloading

By adding the lines below to your .htaccess you can prevent downloading a log files from your server via web browser.

<Files  ~ “\.log$”>
Order allow,deny
Deny from all
Prevent PHP files from executing

Because WP sites need to make it easy for users to upload content when they want to, it’s important that the wordpress “upload” directory is writable. Because of that, your wp-content/uploads directory needs to be considered as a possible entry point.

The greatest possible risk is the uploading of PHP files. WP doesn’t let users upload PHP files in its admin console, yet it may be possible that a theme or plug-in may permit such uploads without making use of the WP API to do so. Because of that this may allow hackers to upload dangerous PHP files that will then be executed on the server.

To minimize such security risks, it’s important to prevent the server from serving any PHP files in the uploads/wp-content directory. You can do that by using the rule below:

<Directory “/var/www/wp-content/uploads/”>

<Files “*.php”>
Order Deny,Allow
Deny from All

Enabling HTTPS for wp-admin and all logins

Factually speaking, HTTP isn’t a protocol in and of itself, but rather a Hypertext Transfer Protocol that’s encapsulated in SSL/TLS. SSL/TLS provides web apps and websites the possibility to encrypt transmitted data and authenticate it in order to verify the host’s identity.

Hypertext Transfer Protocol is generally synonymous with internet banking and shopping cars, yet it should generally be used every time users pass sensitive data to the internet server and the other way around.

Based on the website’s traffic, SSL/TLS can greatly consume server resources. Because of that, for the majority of websites it’s not necessary to use HTTPS in order to serve the entire website. However, when it comes to WP’s admin area and login form, these are by far the most sensitive parts of the WordPress website and because of that it’s recommended that the SSL is enforced where required.

WordPress makes it easy to enforce SSL/TLS on both wp-admin and wp-login pages. This is possible by defining 2 constants in your website’s wp-config.php file.

Note: It’s important to have SSL/TLS configured and enabled on your server if you want your website to work properly when setting these constants to true.

To make sure that the login credentials will be encrypted when transiting to the internet server, it’s important that you edit the constant below in your wp-config.php.

define(‘FORCE_SSL_LOGIN’, true);

If you want to make sure that sensitive info in transit will be encrypted when you choose to use the WP admin panel, add the following command in the wp-config.php.

define(‘FORCE_SSL_ADMIN’, true);

Prevent WordPress Username Enumeration

On a large number of WordPress blogs, it’s quite easy to use an author’s archive page in order to enumerate WordPress users. However, it’s important to keep in mind that this is possible only if WordPress permalinks are activated and if the user published a minimum of 1 post.

However, if you wish to prevent WordPress Username Enumeration, you can use the following rule to do that. Make sure to add it in the .htaccess file in WordPress.

RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

Disable File Editing

BY Default, WordPress allows admins to edit PHP files of themes and plugins inside the WordPress admin interface. If an attacker is able to gain access to an admin account, this the first thing he’ll look into and that’s because this functionality allows him to execute code on the server.

By adding the following line in your wp-config.php file.

define(‘DISALLOW_FILE_EDIT’, true);

Remove Inactive Users

If you have inactive users on your WordPress site, then the bad news is that this can be detrimental to your website’s security. After all, when you have lots of admins that can modify content, the chances of a security breach are higher, especially since so many admins use weak passwords. If you do want to keep inactive users on your WordPress database, you could try limiting any possible actions that may be performed by them by limiting their role to Subscriber.




Add Your Comment

Your email address will not be published.

Please wrap all source codes with [code][/code] tags.

  • Let’s Be Friends

  • OptinMonster
  • SEOProfiler