secure a wordpress install

12 Ways to Secure Your WordPress Site You’ve Probably Overlooked

Change file permissions. Avoid configuring directories with 777 permissions. You should opt for 755 or 750, instead, according to While you’re at it, set files to 640 or 644 and wp-config.php to 600.

Don’t use “admin” as a username. If you’ve already installed WordPress using “admin” as your username or something else very simple, you can change it by inputing an SQL query in PHPMyAdmin or by following the instructions laid out in our latest post on the subject.

Change your password often (and make it good). Random strings of letters and numbers are best. If you don’t feel like coming up with something manually, you can use a password generator to accomplish the task like Norton Password Generator or Strong Password Generator.

Make sure your users establish strong usernames and passwords. It’s all fine and well if you create a good username and password but if your users don’t, your personal efforts won’t matter and your site will be just as vulnerable.

Add two-step authentication. A really good way to prevent brute force attacks is to set up two-step authentication. This means a password is required plus an authorization code that is sent to your phone in order to login to your site. Often, the second login code is sent via SMS. Several plugins can be used to add this feature including ClefGoogle Authenticator, and Duo Two-Factor Authentication.

Updates. Ever since WordPress 3.7, minor WordPress updates now happen automatically. But major updates are still something you need to approve. You can insert a bit of code into your wp-config.php file, however, to configure your site to install major core updates automatically.

It doesn’t get much simpler. Just insert this in the file and major core updates will happen in the background without the need for your approval:

# Enable all core updates, including minor and major:
define( ‘WP_AUTO_UPDATE_CORE’, true );

Be warned, however, that auto updates can break your site, especially if you’re running a plugin or a theme that isn’t compatible with the latest version. Still, setting up the auto updates might be worth the risk if you don’t regularly log into your site.

Now I realize this one also isn’t for everyone, but it’s worth mentioning anyway. Typically, plugins and themes are things you’ll need to update manually. After all, updates are released at different times for each. But again, if you’re not someone who makes site maintenance a regular thing, you may wish to configure automatic updates so everything stays current without necessitating your immediate intervention.

Automatic updates for plugins and themes are another thing you can configure by inserting a bit of code into wp-config.php. For plugins you’ll use:

add_filter( ‘auto_update_plugin’, ‘__return_true’ );


For themes, use:

add_filter( ‘auto_update_theme’, ‘__return_true’ );

Eliminate the Plugin and Theme Editor

If you’re the kind of developer who routinely makes changes and tweaks to plugins and themes then you may want to disregard this section. But if you don’t use the built-in plugin and theme editor in the WordPress dashboard on a regular basis, you’re better off disabling it altogether.

Why? Because authorized WordPress users are given access to this editor and if their accounts are hacked, the editor can be used to take down an entire site just by modifying the code found there.

So you can remove this editor by inserting another bit of code into the wp-config.php file. It’s another simple one:

define( ‘DISALLOW_FILE_EDIT’, true );

Eliminate PHP Error Reporting

Beefing up your site’s backend security has a lot to do with closing the holes or weak spots. Now, if a plugin or theme doesn’t work correctly, it might create an error message. This is definitely helpful when troubleshooting, but here’s the problem: these error messages often include your server path.

Hackers would only need to view your error reports to get your full server path, which means you’d be handing them every nook and cranny of your website on a silver platter. No matter how helpful error reporting might be, it’s a better idea to disable it altogether. This one’s another code snippet to be added to wp-config.php.

@ini_set(‘display_errors’, 0);

7. Protect Your Most Pertinent Files Using .htaccess

8. Hide Author Usernames

9. Keep Track of Dashboard Activity

10. Obscure the Login Page


11. Pick the Best Hosting You Can Afford

You can trick out your site all you want with all the latest security hacks but if you don’t have a good hosting provider, your efforts aren’t going to matter all that much. In fact, security experts WP White Security reported that 41% of WordPress sites were hacked due to a security vulnerability on the host itself. That’s edging on half there, which means you need to do something about your hosting plan, ASAP.

If you want to use shared hosting, make sure your plan includes account isolation. This will prevent someone else’s site on the server from affecting yours in any way. But I think it’s a much better idea to use a service that’s catered directly toward WordPress, however. A managed hosting provider that specializes in WordPress is more likely to include a WP firewall, up-to-date PHP and MySQL, regular malware scanning, a server that’s designed for running WordPress, and a customer service team that knows WordPress inside and out.