WordPress Security - Part 2

WordPress Security - Part 2More WordPress Security Tips

Here are ten additional WordPress security points, with an eleventh added as a bonus for SSL websites.

11) Hidden Admin Area

All WordPress websites use the same folder structure. Be different and change things around so that automated hacking scripts can’t find ways to break into your website. If an automated script can’t find the admin area, then it’s been rendered useless before it even had a chance to do any harm!

12) Secure .htaccess File

The .htaccess file is one of the most important files you website has. If a hacker is able to edit it, they can do all sorts of damage, such as diverting all your traffic to a completely different website address. Simply changing the write permissions of this highly sensitive file can help keep it safe. It’s a simple change which helps your WordPress security a great deal.

13) Unique URLs

This WordPress security point is along the same lines as number eleven above. Change the login URL of your website, which will help keep brute force attacks down to a minimum. Change the content folder name as well. This can help keep sensitive files safe, such as your uploaded files, plugins and themes.

14) Changed Files Notifications

Even with all the best security in the world, a website can still get hacked. Trying to clean up the damage can be very time consuming. What helps a lot is to have a detailed record of what was changed. You can setup your WordPress security so that you receive an automated email notification whenever a file is changed. Better yet, you can receive a detailed list of exactly which files were changed. Additionally these changes can be saved to a log file, so that you can go back in time and have a clear picture of what has been happening.

15) Restrict Long URLs

By restricting long URLs to a maximum number of characters, you stop the injection of malicious code into your website. Such injections are quite common and can be tricky to stop. If the number of allowed characters has been reduced, then it’s almost impossible for a hacker to create damaging code that can still get in.

16) Stop Online File Editing

Another WordPress security point to consider is to turn off the capability to edit files directly from within the WordPress admin area. If a hacker should gain access to the admin area, they can do all sorts of damage. However it is possible to limit some of that damage by not allowing file edits from the admin area. This will mean that if you want to edit any of the files which make up the various plugins or themes, you’ll have to edit them externally. It’s a very small price to pay to have this added WordPress security though.

17) Isolate Write Permissions

The WordPress security package we install on our clients’ websites is setup so that if a sensitive file needs to be written to, it has to go through the security software. This helps ensure that these files cannot be altered by other means, such as via malicious software.

18) Lock Down Sensitive Files

Two of the most sensitive files are the configuration file and the .htaccess file. Lock them down by changing their write permissions. This will help keep hackers from making changes to them and increase your WordPress security.

19) Hidden Software Version Number

Many different software titles proudly display the version number. Hackers love to see this information, as it immediately lets them know which version they’re trying to hack into. They know all too well which version has which vulnerabilities. There is no reason to display this information, so remove it!

20) Content Folder

There is a folder within WordPress which contains all the content, such as all the plugins, themes, uploaded files and more. Rename this folder so that hackers can’t find it and cause damage. Increasing your WordPress security is often simply a matter of making it difficult for hackers to find the files and folders they want to hack into.

21) SSL Connections

This last WordPress security point is a bonus, and is only relevant if your site has an SSL certificate. If it does, you can setup WordPress so that the login area and the entire admin area can only be accessed via SSL. This means that all those URLs will begin with https, instead of just http. Therefore any information that is entered while on these select pages will be encrypted and secured by an additional layer of protection.

General Concepts

As you can see, the general concept is to understand that there are millions of WordPress websites out there. Each one is setup in more or less the same manner. The result is that hackers have an easier time. They simply need to find a vulnerability and write an automated bit of computer code which can exploit it. This code is then sent on its way to try and break into as many sites as possible.

The solution to this problem is actually quite simple – Be different! By changing your own website’s folder structure, locking down specific files, keeping detailed logs of any changes, and so on, you’re placing a lot of additional barriers in the hackers way, and increasing your WordPress security. With so many easier targets available, they’re not going to spend the time to figure out all of your changes and try to break in. Any automated hacking scripts will immediately fail and you’ll stay safe.

Of course, if you’re being specifically targeted for whatever reason, then perhaps your attacker will take the time to work through all these barriers. A targeted attack is more difficult to guard against, however even these tips will make it difficult for them. Additionally, you’ll also receive email notifications and log files to alert you to such hacking attempts. That should give you ample warning so that you can look into protecting yourself even further before things get out of control.

Take your WordPress security seriously and stay safe. After all, you put a lot of work into your website, so you should also put at least a bit of effort into keeping it secure!


Some great tips here Gunther... I'm very pleased that we have people such as yourself promoting security for common platforms like WordPress. Although these tools can seemingly make setting up a functional web site a quick and easy process, a little care early on can avoid some costly recovery later on!