Securing WordPress

Here at ServWise, we see daily attacks on WordPress websites and regularly see sites being compromised by hackers. To help our customers we have compiled a short checklist of the main security actions all customers using WordPress should follow.

Step 1: Keep up to date.

It is vitally important when using WordPress that you are running the latest version, hackers target WordPress due to its popularity and because it is easy for someone without proper security understanding to set up a website making WordPress a prime target.

Step 2: Secure usernames and passwords

Always use complex and individual passwords for each login, this includes your MySQL logins. We regularly see control panel accounts accessed by hackers because the same password was used with the MySQL connection which is stored in plain text inside the wp-config.php. Passwords should be at least 8 characters long and include a range of upper and lower case characters, numbers and symbols. You should never use admin as the username.

Step 3: Move wp-config.php outside your website root

wp-config.php contains all of your database connectivity information and so moving the wp-config.php outside your public website folder (where a hijacked script might be able to read it) is a good idea. If WordPress is installed in the public_html or wwwroot folder (e.g. /home/public_html/wp-config.php) then you can simply move the file one folder below (e.g. in /home/wp-config.php) and WordPress will automatically find the file (remember to give the wp-config.php file read permissions for the domain user). If your WordPress is stored in a sub-folder of your site or you want to store the file elsewhere then move the file and create a new wp-config.php file with the following code edited to point to the location you have moved the original file.

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');

/** Location of your WordPress configuration. */
require_once(ABSPATH . '../phpdocs/wp-config.php');

Step 4: Disable File Editing

WordPress by default allows administrators to edit files such as plugins and theme files. This is often the first tool a hacker will use once they have gained access to the admin. You can disable editing by placing this line in your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

Step 5: Disable unused plug-ins

If a plug-in is unused then disable it.

Step 6: Restrict admin access to our own ip

If you have a static IP address then add the following to your .htaccess file to restrict admin access to only your IP, edit so would be your IP address:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteCond %{REMOTE_ADDR} !^$
RewriteRule ^(.*)$ – [R=403,L]

if you don't have a static IP then you can still use this rule by updating the IP via FTP/panel any time your address changes and you need access to the admin.

Other things to do

These and other securing techniques for WordPress can be found at
There are also a number of security plugins which may be of use
WordFence: scans your WordPress installs for malware against known good WordPress code.
BruteProtect: blocker for limiting common brute force attacks.

  • 8 Users Found This Useful
Was this answer helpful?

Related Articles

My site has been hacked, what do I do?

Firstly don't panic. Then follow these steps. Change all passwords for all services hosted...

Limiting brute force attacks in WordPress

It is quite common for hackers to attempt random scans of websites for common security...

Securing your site

Typical attack vectors for hacked sites are the following: Insecure file and folder...

Why upgrade your cms?

It is important to update the software we use on the Internet (cms applications and web browsers)...

General Security advice

It goes without saying that securing your website is extremely important. Below are some best...