13 Steps to Completely secure your WordPress blog
Its very important to Keep your Blog Secured from hackers and from “Internet Thieves”.Learn how you can make your WordPress blog more secured
1.Lock Your Blog’s Admin Directories.
This ensures that Only You can Access the Wp-admin directories.This Involves creating a .htaccess File and adding your IP address In it. Open up notepad and paste the following Code :
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# My 1st IP Address
allow from a.b.c.d
# My 2nd IP Address
allow from w.x.y.z
[the IP shown in the screenshot is Only an Example.Replace it with your own IP addresses]
You can add as many IP address as You want.Find your IP address here.Save the file as .htaccess and upload it as Wp-admin/.htaccess.Thanks Matt Cutts
Important Note : Be careful With your IP address and double check it.The above method works only with Static IP addresses.If Your IP address is dynamic and fluctuates then you won’t be able to access your WordPress dashboard.In that case Delete the .htaccess file from wp-admin directory.
2.Lock your Plugins and themes Directory
Open Your Browser and navigate to and
If you are able to see all the plugins and Themes from www.yoursite.com/wp-content/Plugins and www.yoursite.com/wp-content/themes ,I am afraid others (Specially hackers) can also see them.If you run an Outdated Plugin then hackers can take advantage of this.So It is better Not to reveal What plugins/themes you are using.
Create a Blank index.html file and Upload It to your Wp-content/themes and Wp-content/plugins directory.This prevents anyone from casually Browsing over Your Plugins and themes Directory.
Alternatively,You can also Create an .htaccess file to prevent others from Browsing your Directories.Open Notepad and add the following code :
Options –Indexes
Save it as .htaccess and Upload the file to your plugins and themes directories.This is a more secured and Correct way of denying permissions to the Browsers.
3.Remove WordPress version Information from The Header
There is No use to show what version of WordPress you are using.Open your header.php file and Find the following code :
<meta name=”generator” content=”WordPress < ?php bloginfo(’version’); ?>” />
Delete the above Code mercilessly.
Open your Website and look for the Source code.You will Find something Like :
<meta name="generator" content="WordPress 2.7" />
This is because WordPress automatically enters its Version Number to all Your Blog pages.If you are Using an Older version of WordPress then Hackers Might take advantage of it.To completely stop this Add the Following code to your functions.php file of your Current WordPress Theme.
<?php remove_action('wp_head', 'wp_generator'); ?>
Thanks Digital Inspiration
There is also a WordPress plugin that Simplifies the Issue.It Presents a Fake version of WordPress In your Blog header.
4.Deactivate and Permanently delete Inactive Plugins and Themes
Only Use the Plugins that You Need.Don’t just deactivate the Unused plugins and Themes.Delete them permanently from your server.Not only this ensures fast loading of your Blog but it removes the security Holes that any plugin might cause.
5.Regularly Backup Your database
Everyone advises you to regularly Backup the database because its really very very important.While experimenting in Your Blog if something goes wrong then you can Lose Your Entire Blog for Nothing.So ensure that proper Backups are taken at regular Intervals.
I recommend using the WP-Database-Backup Plugin.It Offers a daily or Weekly back up of your WordPress Blog.Just Activate the plugin,Schedule it and Forget.The plugin works in the Background and emails you the database backup.
Remember, A backup is not only the fastest way to restore your site to working order, it is also sometimes the only way.
6.Remove XMLRPC if You are Not Using It.
If you do not use Windows Live Writer to create Blog Posts then add the following code in your functions.php file of your wordpress theme
<?php remove_action('wp_head', 'wlwmanifest_link'); ?>
The wlwmanifest link is used by WLW to refresh your Blog’s settings and themes.So if you aren’t using Windows live writer there is No use of Using that code.
7.Disallow User’s from Becoming a Member Of your Site
By default anyone can register to your Blog from www.yoursite.com/wp-login.php?action=register.
This doesn’t Serve any Purpose and you are not benefited in any way.So why let people register and log in to your WordPress dashboard ? They can see what’s happening in your Blog right away !
Under the general Settings Uncheck the Checkbox “ Anyone can register”. If you still want to Use this Functionality okay Go ahead but remember to keep the role to “Subscriber”.
8.Abandon The Username “admin” and use a Strong password
Most of the WordPress Blogs have by default the username admin.This is one step closer to a Unsecured Blog.Create another uncommon username and Use a Secured password for it.Mix capital letters and Numbers for the password.Grant administrator privileges to this Username and delete the username “Admin”.Before deleting assign the posts of the username “admin” to your newly created username.
If you have More than One authors In your Blog use the role-manager plugin to define the capabilities for each user group.
9.Do not let The search Bots Index your Wp- directories.
This is not really a Security measure But very Useful.Open any text editor and add the following code :
User-agent: *
Disallow: /wp-admin/ Disallow: /wp-includes/ Disallow: /wp-content/themes/ Allow: /wp-content/uploads/
Save the file as robots.txt and upload it to Your Blog’s root directory.This file prevents your important and Critical Files being Indexed in the search engines.
There are WordPress plugins For security as Well !
10.Use the Wp-Security Scan plugin
The Wp-Security Scan Plugin Scans your WordPress Blog’s Directories for security vulnerabilities and suggests corrective actions.It allows you to change the Database table prefix,see the wordpress version information,Current and Required CHMODS of directories,Configuration of htaccess etc.Comes with a password tool to generate Strong passwords for you
Download: WP Security Scan.( Important : Be sure To back Up Your Database Before changing The table prefix )
11.Use the Login lockdown plugin
This plugin records the IP address and the timestamp of every unsuccessful login.When a Limit of Unsuccessful Attempts are encountered from the same IP address ,The plugin disables the login Function for all requests from that range.Download: Login LockDown v1.2
12.Use the Ask Apache WordPress plugin
The Ask Apache password protect plugin provides additional password protection to Critical areas of your Blog’s Directories.It doesn’t modifies Your database and neither updates your core wordpress files.Instead it allows you to set passwords and permission on your Blog’s directories (e.g Wp-admin)
When Initiated it will perform routine scans and ask you to set the required File permissions on the respective directories.This plugin is for advanced users and requires Knowledge of .htaccess and Http requests.
13.Subscribe To The WordPress Developement Blog
When WordPress Developers patches a Security Hole or Upgrades a Newer Version chances are they will announce it in their blog.If you find a Security Update Then apply the patch as soon as possible.
Subscribe to the WordPress Development blog.
There are some other plugins like Maximum Security WordPress plugin and wp-scanner by Blogsecurity.Use them if it fit your needs.Do whatever necessary and have a secured WordPress Blog.
Happy Optimization !