WordPress is the most popular open source CMS platform that is easier to get malicious attacks or have a higher risk getting attacks. Maintain your WordPress blog securely should be your first priority always for keeping a successful blog. There are many WordPress Security plugins that we can use to quick and easily secure your WordPress blog as well. In this post we would like to share the necessary tips and guides that you can easily implement on your blog for protect your blog from WordPress security issues.

#1 Use a stronger solid password

Creating a strong password that is also memorable is one of the easiest defenses against being hacked. There are a lot of online password strength checker that you could check. For example, Microsoft has a free web-based tool on their site called Password Checker.

#2 Remove the default admin usename

For the older versions of WordPress, it automatically generates a user with Administrator-level permissions called “admin”. You should add a new administrator and then delete “admin” user. Anyway now we can have the option to choose a admin username for the latest version.

#3 Always stay up to date

When WordPress software releases new version, especially one that includes security fixes, upgrade as soon as time permits. You should also keep your plugins and theme versions updated.

#4 Backup your MySQL database and site files constantly

You should always back up your web site files and database for a practice of regular MySQL database backups and then stored in a safe location. You are also recommended to install some database backup plugins such as WP-DBManager, it’s what we use for all the WordPress blogs. Allows you to optimize database, repair database, backup database, restore database, delete backup database, drop/empty tables and run selected queries in a finger click. This plugins can automatically backup your database for a certain period and send to your specific email address as Gzip file.

#5 Limit access to the wp-admin folder by IP address

This solution adds a little extra security with a htaccess file that restrict which IP’s can access the wp-admin folder via .htaccess. This will limit access to your admin dashboard by IP address. Any attempts at accessing any file within this folder will be greeted with a Forbidden error message. The 123.456.789.321 part should be replaced with your IP address. Visit to What’s My IP if you are not sure what your current IP address is.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from 123.456.789.321

#6 Disable directories browsing

Some server setups will allow directory browsing, create a empty .html file on wp-content/plugins/, or just simply adding a tiny line of code in your .htaccess file in the root directories. Protect your directories from open public browsing can be quickly done by adding the following piece of code to your .htaccess file:

Options All -Indexes

#7 Secure WordPress database

Basically you should create a single database for each blog, first try to pick a strong database password. You can even use a random password since you are not necessary the recall it again. Secondly, create and grant limited access to a database user. Create a user to access this database only and grant limited access to SQL commands on this database (select, insert, delete, update, create, drop and alter). If you use cPanel to create your database, pick the right checkboxes to give the database user just enough privilege to perform WordPress operation.

#8 Restrict file access to wp-content directory

The wp-content directory contains your theme files, uploaded images and plugins. WordPress doesn’t access the PHP files in the plugins and themes directories via HTTP. You may restrict wp-content to a certain file extensions including image files, Javascripts, and CSS but not PHP or any other file extensions. This prevents people from accessing any files directly.

Include the following lines in .htaccess within wp-content:

Order Allow,Deny
Deny from all
<files  ?\.(jpg|gif|png|js|css)$? ~>
	Allow from all

#9 Secure your .htaccess file

besides wp-config.php, .htaccess on the root directories is also very important, you should restrict the file permissions to CHMOD 644. Just locate the .htaccess file and right-click the file and set permissions to 644. You can also add the following code to the very bottom of the content of your .htaccess file, this is basically only allowing your .htaccess file to access your wp-config.php file.

<Files wp-config.php>
Order Deny,Allow
Deny from All

#10 Optimizing your wp-config file by define your secret keys

Another way to make your WordPress install secure is by encrypting the information stored in your WordPress cookies. This makes it hard to gain access to your WordPress administration panel by way of cookie hijacking.

Open your wp-config.php file and find the section below,

 * @since 2.6.0
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');

Vsit WordPress secret key generation tool to get your random personal Secret Keys, copy and replace the bottom four define rules in your wp-config.php file. The secret codes may look like below:

define('AUTH_KEY',        '*fhU(7dWI?j?NJY&uJ3|b?-Z&/bjPd`qR+UR+5C4|ai+e 4R{<~6ffQJvS`cz?EZ');
define('SECURE_AUTH_KEY', 'b!O[MGZ+ry2K;#[d;9 :1wS/U*c3*-xYvima#x~9dYrL6+s:Ch_O0^+-~I3 Ba0o');
define('LOGGED_IN_KEY',   '*eJXjN{uE%I?-GZe=O&7_Ic~/Kuo)V$a0]>ScjWN{hf*/p5G:M]2}1$vL/F?M;[email protected]');
define('NONCE_KEY',       'yD)W3!xLn`V6.s^dx:(K<[[email protected]_x*QGF8WxeZpbjGST O87 !&`3Bm-g]i8:');

Got more tips to share?

If you have more tips to secure WordPress, please share it with all of us in the comments.

Do you like this post?

 Subscribe free via RSS, or by Email to get updates.