Menu Search
Jump to the content X X
Smashing Conf New York

You know, we use ad-blockers as well. We gotta keep those servers running though. Did you know that we publish useful books and run friendly conferences — crafted for pros like yourself? E.g. our upcoming SmashingConf New York, dedicated to smart front-end techniques and design patterns.

10 Useful WordPress Security Tweaks

Security has always been a hot topic. Offline, people buy wired homes, car alarms and gadgets to bring their security to the max. Online, security is important, too, especially for people who make a living from websites and blogs. In this article, we’ll show you some useful tweaks to protect your WordPress-powered blog.

Further Reading on SmashingMag: Link

1. Prevent Unnecessary Info From Being Displayed Link

The problem
When you fail to log into a WordPress blog, the CMS displays some info telling you what went wrong. This is good if you’ve forgotten your password, but it might also be good for people who want to hack your blog. So, why not prevent WordPress from displaying error messages on failed log-ins?

The solution
To remove log-in error messages, simply open your theme’s functions.php file, and paste the following code:

add_filter('login_errors',create_function('$a', "return null;"));

Save the file, and see for yourself: no more messages are displayed if you fail to log in.

Please note that there are several functions.php files. Be sure to change the one in your wp-content directory.

Code explanation
With this code, we’ve added a simple hook to overwrite the login_errors() function. Because the custom function that we created returns only null, the message displayed will be a blank string.


2. Force SSL Usage Link

The problem
If you worry about your data being intercepted, then you could definitely use SSL. In case you don’t know what it is, SSL is a cryptographic protocol that secures communications over networks such as the Internet.

Did you know that forcing WordPress to use SSL is possible? Not all hosting services allow you to use SSL, but if you’re hosted on Wp WebHost or HostGator, then SSL is enabled.

The solution
Once you’ve checked that your Web server can handle SSL, simply open your wp-config.php file (located at the root of your WordPress installation), and paste the following:

define('FORCE_SSL_ADMIN', true);

Save the file, and you’re done!

Code explanation
Nothing hard here. WordPress uses a lot of constants to configure the software. In this case, we have simply defined the FORCE_SSL_ADMIN constant and set its value to true. This results in WordPress using SSL.


3. Use .htaccess To Protect The wp-config File Link

The problem
As a WordPress user, you probably know how important the wp-config.php file is. This file contains all of the information required to access your precious database: username, password, server name and so on. Protecting the wp-config.php file is critical, so how about exploiting the power of Apache to this end?

The solution
The .htaccess file is located at the root your WordPress installation. After creating a back-up of it (it’s such a critical file that we should always have a safe copy), open it up, and paste the following code:

<files wp-config.php>
order allow,deny
deny from all

Code explanation
.htaccess files are powerful and one of the best tools to prevent unwanted access to your files. In this code, we have simply created a rule that prevents any access to the wp-admin.php file, thus ensuring that no evil bots can access it.


4. Blacklist Undesired Users And Bots Link


The problem
This is as true online as it is in real life: someone who pesters you today will probably pester you again tomorrow. Have you noticed how many spam bots return to your blog 10 times a day to post their annoying comments? The solution to this problem is quite simple: forbid them access to your blog.

The solution
Paste the following code in your .htaccess file, located at the root of your WordPress installation. As I said, always back up the .htaccess file before editing it. Also, don’t forget to change 123.456.789 to the IP address you want to ban.

order allow,deny
allow from all
deny from 123.456.789

Code explanation
Apache is powerful and can easily be used to ban undesirable people and bots from your website. With this code, we’re telling Apache that everyone is allowed to visit our blog except the person with the IP address 123.456.789.

To ban more people, simply repeat line 4 of this code on a new line, using another IP address, as shown below:

order allow,deny
allow from all
deny from 123.456.789
deny from 93.121.788
deny from 223.956.789
deny from 128.456.780


5. Protect Your WordPress Blog From Script Injections Link

The problem
Protecting dynamic websites is especially important. Most developers always protect their GET and POST requests, but sometimes this is not enough. We should also protect our blog against script injections and any attempt to modify the PHP GLOBALS and _REQUEST variables.

The solution
The following code blocks script injections and any attempts to modify the PHP GLOBALS and _REQUEST variables. Paste it in your .htaccess file (located in the root of your WordPress installation). Make sure to always back up the .htaccess file before modifying it.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Code explanation
Using the power of the .htaccess file, we can check requests. What we’ve done here is check whether the request contains a <script> and whether it has tried to modify the value of the PHP GLOBALS or _REQUEST variables. If any of these conditions are met, the request is blocked and a 403 error is returned to the client’s browser.


6. Fight Back Against Content Scrapers Link

The problem
If your blog is the least bit known, people will no doubt try to use your content on their own websites without your consent. One of the biggest problems is hot-linking to your images, which saps your server’s bandwidth.

The solution
To protect your website against hot-linking and content scrapers, simply paste the following code in your .htaccess file. As always, don’t forget to back up when modifying the .htaccess file.

RewriteEngine On
#Replace ? with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+.)? [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your "don't hotlink" image url
RewriteRule .*.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

Once you’ve saved the file, only your website will be able to link to your images, or, to be more correct, no one would link to your images, because it would be way too complicated and time-consuming. Other websites will automatically display the nohotlink.jpg image. Note that you can also specify a non-existent image, so websites that try to hot-link to you would display a blank space.

Code explanation
With this code, the first thing we’ve done is check the referrer to see that it matches our blog’s URL and it is not empty. If it doesn’t, and the file has a JPG, GIF, BMP or PNG extension, then the nohotlink image is displayed instead.


7. Create A Plug-In To Protect Your Blog From Malicious URL Requests Link


The problem
Hackers and evil-doers often use malicious queries to find and attack a blog’s weak spots. WordPress has good default protection, but enhancing it is possible.

The solution
Paste the following code in a text file, and save it as blockbadqueries.php. Once you’ve done that, upload it to your wp-content/plugins directory and activate it as you would any other plug-in. Now your blog is protected against malicious queries.

Plugin Name: Block Bad Queries
Plugin URI:
Description: Protect WordPress Against Malicious URL Requests
Author URI:
Author: Perishable Press
Version: 1.0

global $user_ID;

if($user_ID) {
  if(!current_user_can('level_10')) {
    if (strlen($_SERVER['REQUEST_URI']) > 255 ||
      strpos($_SERVER['REQUEST_URI'], "eval(") ||
      strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
      strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
      strpos($_SERVER['REQUEST_URI'], "base64")) {
        @header("HTTP/1.1 414 Request-URI Too Long");
  @header("Status: 414 Request-URI Too Long");
  @header("Connection: Close");

Code explanation
What this code does is pretty simple. It checks for excessively long request strings (more than 255 characters) and for the presence of either the eval or base64 PHP functions in the URI. If one of these conditions is met, then the plug-in sends a 414 error to the client’s browser.


8. Remove Your WordPress Version Number… Seriously! Link

The problem
As you may know, WordPress automatically displays the version you are using in the head of your blog files. This is pretty harmless if your blog is always up to date with the latest version (which is certainly what you should be doing anyway). But if for some reason your blog isn’t up to date, WordPress still displays it, and hackers will learn this vital piece of information.

The solution
Paste the following line of code in the functions.php file of your theme. Save it, refresh your blog, and voila: no more WordPress version number in the header.

remove_action('wp_head', 'wp_generator');

Code explanation
To execute certain actions, WordPress uses a mechanism called “hooks,” which allow you to hook one function to another. The wp_generator function, which displays the WordPress version, is hooked. We can remove this hook and prevent it from executing by using the remove_action() function.


9. Change The Default “Admin” Username Link


The problem
Brute force is one of the easiest ways to break a password. The method is simple: try as many different passwords as possible until the right one is found. Users of the brute force method use dictionaries, which give them a lot of password combinations.

But knowing your username certainly makes it easier for them to guess the right combination. This is why you should always change the default “admin” username to something harder to guess.

Note that WordPress 3.0 let you choose your desired username by default. Therefore, this tip is still usefull if you still use the old “admin” account from older WordPress versions.

The solution
If you haven’t changed the “admin” username yet, simply run the following SQL query to your database to change it for good. Don’t forget to specify your desired username.

UPDATE wp_users SET user_login = 'Your New Username' WHERE user_login = 'Admin';

Code explanation
Usernames are stored in the database. To change one, a simple UPDATE query is enough. Note that this query will not transfer posts written by “admin” to your new username; the source post below shows you how to easily do that.


10. Prevent Directory Browsing Link

The problem
By default, most hosts allow directory listing. So, if you type in the browser’s address bar, you’ll see all of the files in that directory. This is definitely a security risk, because a hacker could see the last time that files were modified and access them.

The solution (Updated)
Just add the following to the Apache configuration or your .htaccess file:

Options -Indexes

Code explanation
Please note that it’s not enough to update the blog’s robots.txt file with Disallow: /wp*. This would prevent the wp-directory from being indexed, but will not prevent users from seeing it.



Footnotes Link

  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16

↑ Back to top Tweet itShare on Facebook

This guest post was written by Jean-Baptiste Jung, a 28-year-old blogger from Belgium, who blogs about Web Development on Cats Who Code, about WordPress at WpRecipes and about blogging on Cats Who Blog . You can stay in touch with Jean by following him on Twitter.

  1. 1

    Great post, thanks 4 the tips!

  2. 2

    Pål Börje

    July 1, 2010 7:07 am

    Tip # 10

    # disable directory browsing
    Options All -Indexes

    in .htaccess

  3. 3

    I just write to say I really loved your smashing cartoon, I know you guys are german and I hope Germany DESTROY!!!!!!!!!… Argentina

    cheers from Mexico

  4. 8

    Sahus Pilwal

    July 1, 2010 6:22 am

    Thanks for the tips! Will roll some of these out on our existing and upcoming WordPress Blogs. ;)

  5. 9

    Shafiq Khan

    July 1, 2010 6:23 am

    Some cool tips here thanks.
    I like using the Login Lockdown plugin too. But it isn’t fully compatible with WordPress 3.0 yet.

  6. 10

    Darren Keirle

    July 1, 2010 6:23 am

    Great post,

    Will certainly follow several of these for my blogs!

  7. 11

    Great article. A client of mine has been having some odd behaviors with their wordpress install. I’ve been looking for security features, outside of plugins, and this article pops up out of nowhere.

    Thank you!

  8. 12

    Maxime Guernion

    July 1, 2010 6:30 am

    The “Disallow: /wp-*” (10. Prevent Directory Browsing) must be in your robots.txt file not in .htaccess file :)

    • 13

      @Maxime Guernion

      robots.txt is not enforced by the server. You can still browse the directory if robots.txt says “Disallow”.

      On the other hand, any directives in the .htaccess file will be enforced by the server.

  9. 14

    Nice post. I’ll implement them on my blog.

  10. 15

    Regarding: “Use .htaccess To Protect The wp-config File”

    A properly configured web server will serve a blank page if some user or bot tries to access wp-config.php. True, if PHP becomes disabled, then that file could be served as clear text, so adding .htaccess rules to prohibit web access to the file would help.

    The “code explanation” for that tip mentions blocking access to wp-admin.php. I think it should be wp-config.php, since there is no wp-admin.php.

    Posts like this need to be triple-checked for accuracy though. The advice to add “Disallow: /wp-*” to you .htaccess file will break your site. Also, that advice does not disallow directory browsing. It just stops good robots from indexing the directory.

    You should just add an index.php file into directories like this, to stop browsing.

  11. 16

    I am not hacker, but i’m know which version use Jean-Baptiste Jung on Cats Who Code(2.8.4) and WpRecipes(2.9.1) and Cats Who Blog(3.0)
    P.S. Sorry for my English

  12. 17

    Sunny Kumar

    July 1, 2010 7:16 am

    Very Useful for WordPress Developers !

  13. 18

    These tips are really useful! Will definitely get round to using some of them.

    The handy thing about most of these is that they can be implemented in only a few minutes, but can really help put your mind at rest. Perfect.

  14. 19

    Disallowing access to wp-content will break any posts you have added attachments to.

    Just so you know.

  15. 20

    Rares Cosma

    July 1, 2010 7:34 am

    A fairly good collection of WordPress security tips. However, you should change the IP addresses in tip no. 4 to better reflect real addresses. (4 groups instead of 3, no value larger than 255)

  16. 21

    Its awesome post about wordpress security. I will definitely use few for my blog.


  17. 22

    you have to delete the following files in the root directory:
    readme.html, install.php (and liesmich.html in the german version)
    otherwise everyone can find the version there.

  18. 23

    you can also put the following lines in your .htaccess:

    # protect readme.html

    Order Allow,Deny
    Deny from all
    Satisfy all

    # protect liesmich.html

    Order Allow,Deny
    Deny from all
    Satisfy all

    # protect install.php

    Order Allow,Deny
    Deny from all
    Satisfy all

  19. 24

    There is some good stuff here. One tip I always see is to change your default “admin” username (#9). However, I think it should be mentioned that site owners, once this is done, should be careful not to post under this new admin account (posting or editing while logged in). If you’re showing the author, the administrative account name is pretty much right back into the open.

  20. 25

    Satya Prakash

    July 1, 2010 9:31 am

    I have tried solution for Malicious URL Requests and this does not worked.
    I activated the plugin and it did not do anything,
    I tried adding eval, eval() and base64 also. no one has given any error or anything new.

  21. 26

    I’m sorry but I have some serious issues with this blog post. There are too many of them, so I’ve listed them on my company blog

    • 27

      LoL – this post should be deleted as it’s nothing but spam. “all these suggestions are bad bad bad, listen to me oh and by the way sign up for my affiliate program”.

  22. 28

    Chris Robinson

    July 1, 2010 11:18 am

    Perfect, was just looking for a post like this…site got hacked the other day.

  23. 29


    July 1, 2010 12:05 pm

    Not sure about some of the advice on here, but there’s an official “Hardening WordPress” page everyone should read:


    Also, wp-config.php should be moved up a directory from your WP installl (likely out of doc root), not blocked using an .htaccess file.

    Also, also the WP-Security Scan plugin rocks and strips versioning and various other WP-specific info from your pages.

  24. 30


    July 1, 2010 12:11 pm

    Seems like the rewriting rules from 5. Protect Your WordPress Blog From Script Injections are easily subverted using %escapes

  25. 31

    The point 10, I think it is: Options -Indexes

    You miss the s in Options.

  26. 32

    Asela de Saram

    July 1, 2010 7:21 pm

    Good post. Thank you very much!

    Something else which I believe is worth a mention is Akismet. It helps by keeping out (or reducing) comment spamming.

  27. 33

    Good to know some security loopholes on my WP sites. Immediately put some to use such as #3 and #10. Great help, thanks!

  28. 34

    Sumit pranav

    July 2, 2010 1:08 am

    Really a nice and informative article.

  29. 35

    Andy Kinsey

    July 2, 2010 1:21 am

    I wish I had these tips last year, I was running 2.5 or something at the time and got hacked I am now very very very security concious. Every little change helps :)

  30. 36

    Artful Dodger

    July 2, 2010 2:34 am

    Hey, thanks for this. I just disabled directory browsing. I used to create blank index.php files but that used to take forever.

  31. 37

    It’s also helpful to enable cookie encryption on your WordPress site by using authentication keys. has a secret key generation service that generates a random set of keys to place in your wp-config.php file.

  32. 38

    Syed Balkhi

    July 2, 2010 6:33 am

    For the tip #1: Remove Login Errors is removing -all- login errors, which could be bad because it also omits notices about disabled cookies, etc. A more effective approach would be to have the function return:

    str_replace( array( ‘Invalid username’, ‘Incorrect password’ ), ‘Invalid username or password’, $str );

    This keeps the user informed of potential errors while obfuscating which field the error actually occurred in. One thing to keep in mind is that if the username is correct, WordPress will auto-populate that field in subsequent login attempts. A hacker aware of WordPress operation would then know that the username was indeed valid. You can prevent this by commenting out the appropriate section in the wp-login.php file (lines 529-530 in version 2.9.2)–not ideal, I know, but there are no hooks at that point in the code.

  33. 39


    July 2, 2010 6:41 am

    The #8, Remove Your WordPress Version Number… Seriously! is not really serious :) You will be removing the version number from your site, but it will still be available to XML readers, like RSS or ATOM feed readers. The following snippet is the correct way to remove the WordPress version number from the website and RSS feeds.

    add_filter(‘the_generator’, create_function(”, ‘return “”;’));

    You can use it on your theme functions file (functions.php).

  34. 40

    Srecko Bradic

    July 2, 2010 8:43 am

    Excellent!!! Thank you for this information!

  35. 41

    One of the most useful articles I’ve read about WP lately! Thanks for sharing!

  36. 42

    On tip #9 I’d rather recommend to create a new admin and delete the previous one, since it would still remain with the ID = 1 in database. I already suffered an attack on a blog who had a different admin username but it got hacked still. I had to manually delete the row in order to prevent it from happenning again. Luckily, I had other admin at usage on the blog.

  37. 43

    The best way to secure proof WordPress is to separate completely core/plugins files (wp-folders) from themes/assets/media files and then deny access to the firsts.

  38. 44

    Will have to tweak my WordPress sites with these tips tonight

  39. 45

    There is a better way to rename the admin user.

    1) Create a new user. 2) Give them admin authority. 3) Log in under newly created users and delete the original admin user. 4) When asked, assign all posts to new administrative user.

    This not only gives you a renamed user, but it also changes the user id # which is used internally. There is no longer a user id 1.

  40. 46

    Ilie Ciorba

    July 2, 2010 2:14 pm

    Great post, I almost forgot point 9 :)

  41. 47

    I think tip #1, which suggests removing login error messages, is a bit misguided. Error messages are helpful feedback for users, so they really shouldn’t be disabled completely. Instead, you can check the actual text of the error message in your wp-login.php file and edit it so it is less descriptive.

  42. 48

    Jean-Francois Monfette

    July 2, 2010 6:05 pm

    Very useful info for anyone using wordpress, which is a lot of people !

  43. 49

    Kishore Mylavarapu

    July 2, 2010 6:40 pm

    All ready discussed topics but this is a nice collective information..thank you

  44. 50

    can you tell me how to avoid the blog to be fetched using file_get_contents() or CURL method ?

  45. 51

    Personnaly, i wrote in my .htaccess :

    « protect me, god »

    And it works fine ^^

    Anyway. Nice tips for my limited knowledge. Thank you.

  46. 52

    Thanks for the tips. I just included 3 of them in my blog (which hasn’t been launched yet…).

  47. 53

    I’m not able to get #6 above to work on WordPress sites. I changed URLs, etc., but still get a 500 error on the site.

    Here’s a good post on how to correctly remove the generator tag (to remove from HTML as well as RSS feeds):

  48. 54


    July 4, 2010 11:37 am

    These sound very good. I just hope that I can do them correctly. lol Thanks.

  49. 55

    In #6 you did not say you need to create an image if you want to display a ‘nohotlink.jpg’ image. Perhaps, if you want to drive more visitors to your site, it would be fun to create an image of text that will give the name of your web site if people want to see the real image and that the site they are on tried to steal your image. It could be better for you, and make the site which tried to steal your content look bad.

  50. 56

    Nice tips with a lot of help. thanks Jean

  51. 57

    Lovly Post !!

    I really like Smashing Magazines articles !

    Too good !!

  52. 58

    Giải Pháp Online Marketing

    July 5, 2010 7:23 pm

    it’s very usefull for my blog :)

  53. 59

    Thanks for share
    it’s time to protect our wordpress

  54. 60

    Great article for me (noob). Thanks.

    Question though, would any of these .htaccess adjustments effect backing up of the database? (I’ve used the codetree plugin and wordpress db backup) but none work now after adding some of these changes; i just get redirected to the home page.

    Also not sure if this is causing the problem:

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !.*.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]


    Or could it be the blockbadqueries.php?


  55. 61

    I removed the blockbadqueries plugin and I was able to backup the database again.

    • 62

      Just to set the record straight, it’s not the blockbadqueries.php that is causing the problem it is the wordpress firewall. If you whitelist *wp-admin/tools.php* and *wp-admin/edit.php* it fixes it.

      Odd thing is the problem happens at home but not on the work computer.

  56. 63

    Chris Coyier

    July 6, 2010 6:36 pm


    from: with LOVE !

  57. 64

    Kanwaljit Singh Nagra

    July 7, 2010 1:28 am

    Very good post – tips like this bring the real value to designers as tools such as WordPress are the most commonly used :D

  58. 65

    No need for function at number 8 (remove WordPress version). You could just remove one line responsible for version number from header.php
    Otherwise, good list – thanks!

  59. 67

    Sorry but this post is completly USELESS, like Vid Luther said…

    I’m a real developer (not a designer) so, please Smashing Magazine, dont allow post like that…

  60. 68

    Nice post. MIght be worth taking a look at the awesome gdpress tools plug in that will do quite a lot of this for you.

  61. 69

    One of the most helpful wordpress post I have come across! Things you never know possible can be prevented. Time to block those evils off your site. Much appreciate your effort in writing this post!!

  62. 70

    Manish Kungwani

    July 15, 2010 9:17 am

    Nice tips, but since my WordPress blog is on IIS, and I dont have an .htaccess file, how should I implement these tips??

  63. 71

    The plug-in tutorial seems not to be working for me, is this because of wp 3.0?

  64. 72

    good team,i’ve spent so much time here

  65. 73

    jared thompson

    July 27, 2010 7:12 am

    a must read for all wordpress users!

  66. 74

    Thanks for the tips. I will definitely add these to my blog.

  67. 75

    It was really helpful for my website. Thank you

  68. 76

    Really useful … thanks

  69. 77

    Thanks SM for pressing on with quality and relevance. Articles that explain clearly how to do what they suggest should be done are very useful. This one does it well.

  70. 78

    hey perfect man thanks for sharing such information..


  71. 79

    For number 10, how do we it? I dont know anything about Apache configuration…

  72. 80
  73. 81

    great list of word press security tweaks

  74. 82

    10 Useful WordPress Security Tweaks – [link]

  75. 83

    excuse me,
    thank you far the useful article, but……

    when you say paste this and that in htaccess or functions php…. I would like to know where

    sorry but I’m not programmer

    can I paste the code where I want? In what lines?

  76. 84

    The plugin referenced does not with 3.01. I found an update on the authors site.

  77. 85

    fantastic.. everything on the list is highly recommended!

  78. 86

    Hey! its a very nice tips, I can’t use Force SSL on my Blog.

    I like change Admin username with SSH Command..


  79. 87

    Link directories are really nice to gain some backlinks. I use them when ican. Link directories are quick way to push your blog a bit.

  80. 88

    I like the post as it is informatibe, but there are several issues in which this is not “real” security. Some of the points above can be bypassed by script kiddies.

    One thing I think this post should have referred to is, “Hardening WordPress”:

  81. 89

    Realy useful tips. Most of them refer to modify .htaccess file. Is this file rewriten when wordpress updates ?

  82. 90

    Sharagim Habibi

    February 12, 2011 7:08 pm

    Anyone heard of lsx_06 as a security “patch?”

  83. 91

    Lovely tips cheers guys

  84. 92

  85. 93

    Great article. I run quite a few wordpress blogs and have been worried after recent hacking attempts, especially as i rely on the sites for regular income.
    I recently came across whcih offers a very cheap solution along with video instructions. Great site, great product, just wanted to pass it on.

  86. 94

    If there was a hall of fame for WordPress articles, this would have to be right up there with the best of them. Just launching a site for a friend who is starting up a business, and this little checklist has just saved me a number of future security related headaches!

  87. 95

    For those who wonder about the issue of security through obscurity, have a look at this article about WordPress Security and Obscurity – it offers some clarity and validates some of the tips outline in the article here at Smashing Magazine.

  88. 96

    Good tips; number 10 is an interesting one as many people do not understand the danger.

    I did a post highlighting the thousands of vulnerable WordPress installations that can be found through directory indexing.

  89. 97

    Good tips Great site very informative I enjoyed it thank you…cheers Peter

  90. 98

    Heather Wood

    July 11, 2011 7:48 am

    I’m in awe as to how much I need to do to build a website. I am so grateful to have you guys do the hard research for me and make lists like this that make my life so much easier ^_^

  91. 99

    I have to express my appreciation to this writer just for rescuing me from this particular problem. Just after surfing around throughout the online world and obtaining techniques that were not powerful, I was thinking my entire life was well over. Existing without the presence of approaches to the issues you’ve fixed all through this write-up is a critical case, and the kind that would have adversely damaged my career if I had not noticed your blog post. Your main expertise and kindness in touching every part was valuable. I’m not sure what I would have done if I hadn’t encountered such a thing like this. I can also now look forward to my future. Thank you very much for your expert and result oriented help. I won’t be reluctant to suggest your web sites to any individual who will need support about this situation.

  92. 100

    Great post. Thanks for sharing. I will use several of these tips.

  93. 101

    Thank you very much for such useful information!

  94. 102

    I’ve had so many problems dealing with wordpress security breaches. I’ve used all the recommended plugins. Anyone got any solutions?

  95. 103

    thanks dude
    nice post

  96. 104

    Force SSL Usage

    define(‘FORCE_SSL_ADMIN’, true);

    Causing disruption of WP-admin

  97. 105

    Good stuff is always a good stuff. Thanks

  98. 106

    Great thanks for the share of info. Will use this on my new web :)

  99. 107

    Thank You. It is useful for my 4 months old website. :)

  100. 108

    Excellent job. You not only covered many useful items, you also explained them well, as opposed to the normal “just do this” tactic.

    Thanks for including the linkbacks as well!

  101. 109

    Habiba Hamaki

    March 1, 2012 3:36 am

    There are so many people who want to know how to make money, but there are so many pitfalls. NO wonder that 95% of all new businesses fail. Why do so many fail? Usually for…

  102. 110

    Anders Vinther

    May 11, 2012 8:41 am


    Great post… One of the important things about your WordPress backup is that you store your backups outside your hosting account and that you workout a great backup strategy…

    I’ve described a good mix of daily, weekly and monthly backups with auto-deletion of old backup archives here:

    On this site you can also download a free, comprehensive WordPress Security Checklist, which will help just about everyone improve their security…

    Just my two cents… keep up the great work!


  103. 111

    Fontana Lorenzo

    June 29, 2012 3:35 pm

    Remember that there are a lot of hackers-vulnerable WordPress plugin, here there’s the list of them!

  104. 112

    In the third tip under the heading code explanation it says “we have simply created a rule that prevents any access to the wp-admin.php file” which should be wp-config.php because there is no such file as wp-admin.php

  105. 113

    Security has always been a hot topic. Offline, people buy wired homes, car alarms and gadgets to bring their security to the max.

  106. 114

    Another Tweak ….

    We have recently published a plugin for strong authentication. It prefers usability to security so you can either login with a password or with one-time code.

    If you’re on a secure network, you may want to use just your password but open your smart phone when connected through an insecure WiFi (cafe, train, …).

    We tested it with a few smart phone apps: Google Authenticator, Pledge, DS3 OATH, AWToken so you don’t have to rely on Google completely.

    Try to search for S-CRIB OTP Authenticator in the list of WordPress plugins or directly .

  107. 115

    I love reading an article that can make people think. Also, thanks for permitting me to comment!

  108. 116

    Justin Mifsud

    July 17, 2013 3:02 am

    Great post Jean-Baptiste,

    I personally have tried most of the above techniques as well as others. For these I would also advise the official ones on the WordPress codex site. Every website owners should have at least a working knowledge of the basic security concepts. If they keep up to date or read articles like this one, then the world would be a better place. After setting the security basics right, you would reach a plateau and you would need monitoring services or assistance when you are hacked. There are some free and paid for services and plugins for that. I use Sucuri and, in fact I have blogged about they whys ( Login limiting is also essential (although bots use different IPs) so a good password and username is always good. Another good solution that I found is using Google’s 2-step authenticator so that logging into WP Admin is via a username, password and code generated on your mobile device.

  109. 117

    Thanks for this post, i did not read all the comments so i do not know if im doubling up but anything that prevents query strings is a bad idea… i know why its beneficial but in the real world depending on what plugins are being used in WordPress can cause unforeseen problems to the novice…. take this from first hand experience.

    1 example is WooCommerce (very popular plugin) i came across an issue that i denied query strings similar to the above example, i had strange problems upon checkout with a weird error message, after much trouble shooting it was the query strings not being allowed to show correctly, WooCommerce relies on these strings.

    Once i commented them out everything started worked as expected.

    I try and stay away from these types of security tweaks especially in a WordPress setup i however do see a lot of value if your building a website from scratch where you have total control over the construction of the website not using WordPress as the CMS.

    Hope that information helps others.

  110. 118

    Great article.
    I had a site hacked by the “Turkish hacker HaYal-ET06” but was able to repair the site very easily. Not to say other hackers wouldn’t try to totally destroy a WordPress site.
    I document what I did to completely repair my site.

    Hope this helps others.

  111. 119

    Hi, By default my login error message is disabled, Now I got to know how its disabled. Thanks for you information.


↑ Back to top