Securing WordPress

With a growing number of small to medium sized businesses leveraging WordPress as their website content management system (CMS), security of WordPress installations has become an issue. The WordPress developers have provided a reasonable ‘hardening’ outline, available here, but there are a number of other steps you can take to enhance the security of your WordPress site.

There are four main area’s of WordPress security we will briefly address in this article:

  1. Host Security
  2. Version Maintenance
  3. Restricting Access & Permissions
  4. Encryption

Host Security

Your WordPress site will only be as secure as the web servers its hosted on. If you are hosting your WordPress site on a virtual hosting account then you need to take extra care in making sure you site is secured from both external (Internet) attacks as well as attacks from other users on the same server (Internal). I recommend considering a secure hosting provider which provides hardened server operating systems and secure upload mechanisms such as a SFTP and SSL. Your hosting provider should also make sure they are running current, patched versions of their Apache web server, PHP and MySQL database software. Be sure the discuss security concerns with your hosting provider directly.

Version Maintenance

Keeping your WordPress site up-to-date with the latest WordPress release is important not just for stability but also for security. The WordPress development team does a good job of responding to security issues and bugs in their releases. Regularly check your WordPress administrative interface for notifications regarding new releases and updates. Don’t delay upgrading when a revision becomes available. In addition, make sure you keep any plugins and 3rd party modules you use up to date as some are prone to security issues.

In addition to keeping your WordPress installation and plugins up to date, I also recommend the following plugin:

WordPress Firewall investigates web requests in real-time with simple WordPress-specific heuristics to identify and stop most obvious attacks. In un-patched WordPress installations and within many plugins, it will protect your site from malicious attacks. WordPress Firewall can be downloaded here.

Restricting Access

Be sure to use strong passwords (12 or more characters, numbers, symbols) to project your /wp-admin WordPress management interface. Also take the time to change and/or disable the default ‘admin’ WordPress administrative account. In addition, I recommend two plugins which will significantly enhance the security of your WordPress site:

Login Lockdown adds extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP address. If someone is trying to “brute force” or guess your password repeatedly, it will block them from accessing the server for 1 hour after 3 failed logins. Login Lockdown can be downloaded here.

WP Security Scan scans your WordPress installation for security vulnerabilities, provides recommendations on modifications, monitors your blog for administrative password changes (and sends alerts) and obscures your version information. Developed and maintained by Acunetix, the WP Security Scan plugin provides real time security monitoring and can be downloaded here.


I recommend only accessing your wp-admin interface via a HTTPS connection so as to secure you WordPress login credentails. If you implement solid site permissions, security scans and brute force protection but your login password is captured over a non-secure HTTP session, then all other security mechanisms are rendered useless. I recommend the following plugin:

Admin SSL secures WordPress Administrative URL’s using Private SSL. Rather than logging into you are forced to login at httpS:// This provides SSL security and encrypts your administrative login username and password. Admin SSL can be downloaded here.

In addition to these recommended plugins and configuration suggestions, be sure to secure your wp-admin and wp-includes with .htaccess and don’t use the wp_ table prefix in your WordPress databases (to project against SQL injection).

Do you have other idea’s or recommendation’s on securing WordPress? Post below!

1 Comment

  1. joomlaserviceprovider

    Greetings.We are pleased to announce the release of wSecure. wSecure hides your WordPress admin URL with a special key so that only you can access. The problem with WordPress is that anyone can tell if your site is WordPress by simply typing in the default URL to the administration area (i.e. wSecure helps you hide the fact that your website is built with Worpdress from prying eyes.

    Check out wSecure in action here:

Comments are closed