Tips, Tricks & Tutorials

WordPress Security Tips and Hacks

February 17th, 2008

We all agree that having a secure wordpress weblog should be our first priorities when keeping a successful blog. In this post we’d like you to share your knowledge and help us create the WordPress Security guide to keep the bad guys out.

Below are 10 security tips that you can easily implement on your WordPress blog. Please share one or more life-savers you use permanently to help protect yourself from WordPress security issues.

1) Nobody should be allowed to search your entire server.

  • WPdesigner advices us to NOT use this search code in the search.php

    <?php echo $_SERVER ['PHP_SELF']; ?>

    Nobody should be allowed to search your entire server, or? Use this one instead:

    <?php bloginfo ('home'); ?>
  • Block WP- folders from being indexed by search engines, the best way to block them in your robots.txt file. Add the following line to your list:
    Disallow: /wp-* 

2) Directories should not be left open for public browsing

There is a potential problem letting people know what plugins you have, or what versions they are. If there is some known exploit that is linked to a plugin, it could be easy enough for someone to use it to their advantage. Make an empty wp-content/plugins/index.html file or just add this line in your .htaccess file in your root:

Options All -Indexes

3) Drop the version string in your Meta Tags

A large number of WordPress themes have the WordPress Meta Tag that show the version of WordPress that is running on your blog which is an easy way to get your blog prone to hackers if you didn’t upgrade to the security-enhanced file permissions on both which is pointed out by Matt Cutts. Another solution involves a plugin that sets up a secondary new version.

This tag is in the header.php file that displays your current version of wordpress.

  1. <meta content="WordPress &lt;?php bloginfo(‘version’); ? /&gt;" name="generator" />

4) Protecting your WordPress wp-admin folder

Attackers can use bots for a brute force style of attack that simply guesses the admin password until they come up with the correct one and login. There are a couple of solutions out there, we will highlight each below.

  • Limit access to wp-admin folder by IP address– This solution is to restrict which IP’s can access the wp-admin folder via .htaccess. This has one drawback is you may have to update your .htaccess folder if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations.
  • AskApache Password Protect– The plugin is simple, it adds a 2nd layer of security to your blog by requiring a username and password to access anything in the /wp-admin/ folder. All you have to do is choose a username and password and you are done. It writes the .htaccess file, without messing it up. It also encrypts your password and creates the .htpasswd file, as well as setting the correct security-enhanced file permissions on both.
  • Login Lockdown plugin– records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.

5) Stay up to date

You need to keep your on your plugin/widget, theme, and WordPress versions updated. Also, subscribing to the plugin/widget/theme Author’s RSS feeds makes keeping up with them much easier.

6) Take regular backups of your site and Database

You always have to take regular backups of your file directories as well as the database. WordPress Database Backup plugin creates backups of your core WordPress tables as well as other tables of your choice in the same database.

7) Update your wordpress to latest version

Probably the first thing you should do! Install the Instant Upgrade Plugin or the WordPress Automatic Upgrade Plugin. Make sure you back everything up before performing the upgrades.

8 ) Use SSH/Shell Access instead of FTP

It is one of the best tips i found here.If someone gets a hold of your FTP login information (which is usually not encrypted and easy to get), they can manipulate your files and add spam to your site without you even knowing about it! Using SSH, everything is encrypted including the transfer of files, etc.

9)Stop worrying about your wp-config.php file

Keep your database username and password Safe by adding the following to the .htaccess file at the top level of your WordPress install:

<FilesMatch ^wp-config.php$>
deny from all

This will make it harder for your database username and password to fall into the wrong hands in the event of a server problem.

Protect Your Blog With a Solid Password

Creating a strong password that is also memorable is one of the easiest defenses against being hacked. There are a lot of online password strength checker that you could check.

Also you might check lorelle’s article on blogherald called Protect Your Blog With a Solid Password, offering tips and tricks to help create a strong password that is also memorable, and how to deal with all the myriad passwords we seem to accumulate online.

The jungle is alive: Be it a collaboration between two or more authors or an article by an author not contributing regularly. In these cases you find the Noupe Editorial Team as the ones who made it. Guest authors get their own little bio boxes below the article, so watch out for these.

Tags: ,

82 comments for „WordPress Security Tips and Hacks
  1. Frank on February 18th, 2008 at 5:41 am
    • Anders Vinther on May 16th, 2012 at 6:02 pm

      This is a great list of things to do to secure your WordPress site…

      I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…

      I have now written up my experiences in a WordPress Security Checklist which can be downloaded for free on

      My checklist has a few more items and detailed steps for how to get the job done.

      Hopefully the checklist can help other people securing their WordPress sites…

  2. Tristan on February 18th, 2008 at 9:08 am

    very useful tips

  3. kuldeep on February 18th, 2008 at 9:33 am

    Hey nice tip…till now, like a stupid, i gave security a back-seat

  4. milo on February 18th, 2008 at 11:12 am

    First lines are cut and pasted from a SP post…

  5. Noupe on February 18th, 2008 at 1:32 pm

    I guess you mean WPdesigner’s website, and yes a link was given to them. I guess you didn’t notice it.

  6. Jordan on February 18th, 2008 at 3:49 pm

    Noupe, that’s because Milo saw your unedited post. You only changed it once you had a comment in regards to stealing content from another user. SP also stands for Small Potato, the owner/author of WPDesigner.

    Robert, I completely agree with you. I just find it ironic that it’s a resource to help you “craft clean usable websites.” Which is probably why I almost never view this site with css enabled and the ads disabled. Too much garbage littering what the site is truly about: it’s content.

    You have almost the same amount of space delegated to ads as there are for content. Horrible placement, that’s for sure.

  7. Noupe on February 18th, 2008 at 4:04 pm

    The link to wpdesigner’s website was placed the first time this post was published and the link was originally there. is not stealing other people stuff, if you have ever checked our previous posts you will find it clearly that we always add links and credits to original sources.
    Our site’s focus is to inform our readers about the latest tips and techniques in web-design and we never say that these tips are ours unless they realy are.
    P.S i like your website’s design it reminds me of Using almost the same colors, same right placement of the logo, same footer, same navigation bar. Overall the same look and feel

  8. Dan on February 18th, 2008 at 4:42 pm

    Noupe is definitely a cool and innovative site and credits are given to where it belongs :)

  9. Erica on February 18th, 2008 at 5:25 pm

    Its realy easy to know if Noupe gave credits or not.
    Just go to and you will find that a trackback link was added on the same day Noupe published this post which is on Feb17, this means its one day before these lazy commentators create this buzz out of nothing ;)
    Nice Tips Noupe, keep going :)

  10. 3stripe on February 20th, 2008 at 1:06 am

    #9 gives me an instant server error message on a Plesk-managed server!

    Good tips otherwise though

  11. Vineet Kumar on February 26th, 2008 at 5:05 pm

    Nice tips but do u have any other tips related to abnormal use of HTTP_REFERER

  12. Chad Mueller on February 29th, 2008 at 11:23 am

    This is a very important step for blogs, that I missed. I was infected with a trojan virus, and I didn’t see it ( i work on a mac) but when PC users visited my posts.. there were some serious problems, with a virus trying to infect their machines, so I have learned my lessson, fixed the problem said sorry to the my great visitors and now security is a must.

    These tips have been vital to my blog.

    Thank you


  13. Benjamin Sterling on March 10th, 2008 at 12:11 pm

    I would also add that a WP plugin developer should add something along the lines of:

    if(preg_match(‘#’ . basename(__FILE__) . ‘#’, $_SERVER[‘PHP_SELF’])){

    to the top of there plugins to help with the security.

  14. José Fontainhas on March 10th, 2008 at 5:12 pm

    Great article, but shouldn’t item #9 be:

    deny from all


    The instruction as listed on the post generates an INternal Server Error every time.

  15. José Fontainhas on March 10th, 2008 at 5:20 pm

    *Sorry, forgot to wrap in code tags

    Great article, but shouldn’t item #9 be:

    deny from all


    deny from all


    The instruction as listed on the post generates an Internal Server Error every time.

  16. paul on March 19th, 2008 at 11:30 am

    really nice list here. as for the ssh tip – bravo. it’s one of those really nice things that is super convenient as well as secure. soon, you find yourself using ssh for nearly every server admin task you can think of.

  17. Bilim ve Teknoloji on March 30th, 2008 at 2:01 am

    Hey nice tip…till now, like a stupid, i gave security a back-seat

  18. hema on May 23rd, 2008 at 7:51 pm

    the best tips i read, thanks for sharing

  19. Monica on May 27th, 2008 at 10:27 pm

    Thank you for the tips. I’ve been looking for something like this post for a while. You really made it simple and basic.

    Thanks again,


  20. Paul on June 5th, 2008 at 12:06 am

    Great tips. I recently let my blogs go without an update for 6 months. I came back to them to find numerous parts hacked. Adsense ads had different affiliate IDs, pharmacy and spam through posts and comments. Even folders full of spam files on the server. Basically every possible hack had been done to them.

    WordPress is a high profile app and blackhats are always looking for the exploits then scanning the web for people who have unpatched blogs. Not safe.

  21. Enfotainer on July 3rd, 2008 at 12:17 am


    Thanks for the wonderful tips. One of my sites got hacked, so I was really worried and searching for how I could make blogs more secure and hence stumbled upon your site.


  22. Bernhard on August 5th, 2008 at 7:36 am

    It should be added that a “disallow” in robots.txt does not provide any security at all. A malicious bot can simply choose to ignore it and your server will be helpless.

    Even people with the best of intentions can sting you by accident. There are programs which can act like bots, but adhere only to the rules for browsers. wget and curl are two examples.

    If somebody wants to download all your articles for off-line reading and uses such a downloader clumsily set to follow each and every internal link it finds at your site, you may just be in trouble.

    Both wget and curl will only stop if they encounter either a 404 (not found) or a 403 (forbidden). In that they behave like browsers who also don’t look at robots.txt.

    So – if any of your internal links lead into sensitive territory, make sure the target is password protected.

  23. jendalsepit on August 18th, 2008 at 3:19 am

    nice tips noupe …

  24. Amit on October 7th, 2008 at 1:35 pm

    Very nice tips there buddy, you covered almost all the aspects on wordpress security.

  25. MaNshY on October 10th, 2008 at 7:20 am

    thanx for this topic i love it

  26. JK on November 9th, 2008 at 7:04 am

    Hi, Thanks for the great write-up:

    Regarding 9, if I put that code in .htaccess, it does not allow me to log in as well.

    Is that the correct command? Could you confirm?

    Also, to disable the directory browsing, you mentioned “Options All -Indexes” command. Would this disable the search engine crawling as well?

    Thanks again, JK

  27. Mr.Mix on November 1st, 2009 at 5:13 am

    thanks for this TOPIC i really love it ^^

  28. Security-Firm on November 3rd, 2009 at 11:07 am

    Nice write up, but you have to use SSH, just in case.

  29. Harsh Agrawal on November 18th, 2009 at 7:10 pm

    Most of the people left their blog directory scannable in serahc engine and publicly browsable. This is big security hole for any blog…..

  30. Frac on January 18th, 2010 at 10:47 am

    As far as passwords are concerned, I highly recommend a password manager like KeePass Password Safe.

    It generates passwords and maintains them in a secure database. I don’t even try to make passwords memorable or reasonably short (most my passwords are now 25+ characters of completely random garbage).

    The auto-type function means just hitting a key-combination and having it find the proper password and using it.

    You, of course, now have to protect your password safe from loss. Not because it isn’t secure, but because you are depending on it. That’s fine by me.

    There are several of these types of programs. I chose KeePass because it also has a Linux version (KeePassX).

  31. LA Security Guards on February 14th, 2010 at 9:17 am

    Thanks for the tips! With all the hackers out there it is important to be safe. I will take some extra measures to protect my wordpress blogs.

  32. repair computers jacksonville on March 8th, 2010 at 12:35 am

    I’m always searching for things about topics that I don’t know about. It’s tough to find things that you do not know about, because what do you search for? ;) Your blog is the type of thing I love to read about regarding something new to me. Nice share! Thanks.

  33. Saw Htoo on April 7th, 2010 at 10:03 am

    Thanks for the tips. As I am using wordpress for my websites, this post is really useful for me.

  34. Praveen on April 12th, 2010 at 5:43 am

    Wow!!! Nice Stuff buddy…..
    Recently there is a attack over WordPress Blogs by Hackers.The saddest part is exploited security Hole not yet Identified,

    Dirty Attack Over Hundreds Of WordPress Blogs

  35. Sweater Chick on April 22nd, 2010 at 5:02 pm

    Hi there, I tried to follow the steps you mentioned, and I did great with changing passwords, but I really messed up my wp_config.php and deleted a bunch of code out the header.php. I actually ended up seeking help from They were great and fixed everything for me, but I have come to the conclusion that I’m just not meant to mess with this stuff myself. Oh my head.

  36. Michelle Flower on May 6th, 2010 at 4:28 pm

    Great blog!. I like it. Thanks.

  37. Shawana Litz on May 31st, 2010 at 2:47 pm

    I’ve been trying to get your feed? Having trouble can someone tell me how?

  38. Conquistar Chicas on June 13th, 2010 at 4:38 pm

    Llegué a tu blog y todo el contenido me pareció genial. Me la pasé leyendo un rato largo. Agregaré la dirección a mi lector de noticias. Si no estás haciendo nada interesante, date una vuelta por mi blog. Nos mantenemos en contacto!

  39. Ron on July 5th, 2010 at 2:28 am

    Very useful list. Thanks for sharing.

    However you can apply few more useful tips on wordpress security like not to use default administrator account.

    Read more here

  40. Ron on July 5th, 2010 at 2:29 am

    Very useful list. Thanks for sharing.

    However you can apply few more useful tips on wordpress security like not to use default administrator account.

    Read more here

  41. gouthami.b on July 18th, 2010 at 10:44 pm

    Useful tips.I am new to wordpress this post gives a good idea on how to secure wordpress

  42. Tiago on September 17th, 2010 at 2:29 pm

    Nice security round-up, although step 9 has an error. Use instead:

    # to protect wp-config.php

    order allow,deny
    deny from all

  43. Tiago on September 17th, 2010 at 2:30 pm

    Ok, code on last comment did not go through. See this link for the full code:

  44. Vic on October 7th, 2010 at 6:58 pm

    Hi Thanks for giving us those tips. Having a strong password is great and easy way to protect our site. But even though we have security measures, we cannot still guarantee a 100% bug free website. So making a backup is still the best.

  45. guest on November 7th, 2010 at 12:00 pm

    ??????????D?19?4?Fong Ka Wai????????????cancer?????

  46. ?????? ????? on November 8th, 2010 at 5:01 pm

    Very interesting post I learned a lot

  47. dome cameras on December 13th, 2010 at 6:03 pm

    Thanks a lot for sharing. You have done a brilliant job. Your article is truly relevant to my study at this moment, and I am really happy I discovered your website. However, I would like to see more details about this topic.

  48. Victor on December 14th, 2010 at 5:50 am

    How would I protect my admin files form search engines ?

  49. Internet Securitt Group on December 21st, 2010 at 8:46 pm

    Great tips all of these do help in addition to many other customizations. Thanks again.

  50. Morris Soucie on December 22nd, 2010 at 5:23 am

    Concerning security programs, particularly for companies, I have to agree with what you have said completely. You can find so quite a few alternatives in the marketplace, it truly is significant for any expert to be aware what is very bestfor their situation plus particular office building. The remarks you’re supplying continue to be a terrific assist to businesses plus security professionals similarly. Thank you again!

  51. ankit on January 18th, 2011 at 8:34 am

    Hey very nice article.I will do all the setting soon.

  52. Bankruptcy Attorneys New York on January 18th, 2011 at 9:23 am

    Have you considered adding some relevant links to the article? I think it will really enhance viewers’ understanding.

  53. ronidhbd on February 3rd, 2011 at 9:25 am

    After implemented the above security steps the wordpres plugins don’t update. The server end is OK. File permission is OK. Even when i undo the taken security steps still the wp plugins don’t update. Whats the solutions? Anyone can help?
    N.B.: The host support guy says, the server configuration is OK.

  54. Mike on February 11th, 2011 at 5:26 pm

    It is also possible to protect the wp-config file by moving it up one directory.

  55. Fabrizio Van Marciano on February 22nd, 2011 at 12:03 pm

    Top tips, I certainly use the secure password and limited login attempts.

  56. Rahul Singh on March 2nd, 2011 at 8:01 am

    this is my stop thanks dear good work i have read lots of post regarding Word press Security found very useful for me thanks dear

  57. Mailing Fulfilment Services on March 16th, 2011 at 5:25 pm

    I will always use different passwords for all my blogs, each password containing a series of 6 letters and 6 numbers. There is some great advice here so thank you.

  58. Erick G on April 8th, 2011 at 7:33 am

    Another quick tip for the less technical folks out there: create a second full administrative user with a nice login name and delete the generic “admin” account (and by doing so with WordPress 3 and above you’ll even have the possibility to rename all the posts signed as “admin” to your “new you”).

  59. Desire Oldershaw on April 16th, 2011 at 1:49 pm

    8. I think this is among the most important information for me. And i am glad reading your article. But want to remark on some general things, The website style is great, the articles is really excellent : D. Good job, cheers

  60. Mark on April 25th, 2011 at 5:34 am

    Pretty good write-up – goes good with some other lists of security tips.

    One thing I run into a lot is people who think that there’s no such thing as security through obscurity – however that perspective most likely comes from a skewed perception. So people might want to read WordPress Security Through Obscurity? to gain some clarity.

  61. Frederik on May 10th, 2011 at 10:00 am

    Some very useful tips, thank you for this mate!

  62. Revitol cellulite on May 16th, 2011 at 1:02 pm

    This unique blog is obviously cool as well as diverting. I have chosen a bunch of useful stuff out of this blog. I’d love to return over and over again. Cheers!

  63. Leeanna Selman on May 30th, 2011 at 3:05 pm

    What I have often told people today is that when looking for a good online electronics retail outlet, there are a few issues that you have to consider. First and foremost, you should really make sure to choose a reputable as well as reliable shop that has got great evaluations and ratings from other people and industry experts. This will ensure you are handling a well-known store that gives good program and support to it’s patrons. Many thanks sharing your thinking on this web site.

  64. dung on June 8th, 2011 at 5:51 am

    Thank you very much!

  65. Irfan Shakeel on July 11th, 2011 at 11:18 am

    Thank you very much for the wonderful information, now i am going to use these tips….

  66. candra on September 11th, 2011 at 2:41 pm

    great article…..thank for sharing…..

  67. Paul Salmon on September 12th, 2011 at 8:21 pm

    Protecting your blog with a strong password is probably the best tip. In fact, you should choose a strong password for all your logins. The last thing you need is for someone to hack into your WordPress blog because they were able to guess your password.

  68. USANA on September 17th, 2011 at 4:13 pm

    I’ve been using the Options All -Indexes directive (and one to protect wp-config) in the htaccess file for my sites for quite a while. From time to time however they disappear and only my permalink redirect directives remain.

    I think this occurs either when I turn on/off directory password protection from cpanel (which updates the htaccess) or update my permalinks within WP (ditto). So if you’ve done either of those it wouldn’t hurt to check your htaccess file is still correct.

    • USANA on March 20th, 2012 at 4:56 am

      Oops – the disappearing htaccess updates was my own fault.
      I was putting them between the BEGIN/END that WordPress uses. Moving them outside the BEGIN/END makes them permanent.

  69. thomas on October 11th, 2011 at 5:44 pm

    One more, turn off php error reporting

  70. Konto on December 16th, 2011 at 2:36 pm

    Hello, nice post, but still go one question:

    Is there any way to change logging to admin panel URL? Its /wp-admin right now

  71. Tony on January 4th, 2012 at 3:37 am

    Always change the table prefixes since SQL injection attacks will usually assume the default _wp.

  72. amit sharma on January 8th, 2012 at 3:00 am

    Thanks for the security tips, being a newbie, would like to rely on plugins as per now..some of them are unknown to me, will surely check them out.. :)

  73. Nayeem Modan on February 11th, 2012 at 3:18 am

    Thank you so much for the tips. I never though about my blog security but I am starting today after your reading your post.

  74. Ella Toland on February 28th, 2012 at 5:03 am

    Thank you ever so for you blog article. Great.

  75. Viprocker on April 11th, 2012 at 2:12 pm

    Thank you so much, i began wordpress in March, 2012 . This tips maybe save me :X

  76. Nardar on April 14th, 2012 at 8:34 am

    htaccess changes are a bit problematic for me. Is there any way to get around that without plugins?

  77. Janyson on April 14th, 2012 at 2:19 pm

    Well i am aware most of the tips here but the one “Nobody should be allowed to search your entire server” is new and seems to be important for me.

  78. Firdaus Herliansyah on April 16th, 2012 at 4:29 am

    Thank you for this great article

  79. Fontana Lorenzo on June 20th, 2012 at 10:20 pm

    Hi, i published an updated list of Wp security tips, check it here !

  80. srinivas on September 28th, 2012 at 7:03 am

    nice …………