Improving Wordpress Security In Five Easy Steps

Whilst Wordpress is a great publishing tool it does have it’s challenges and one of my greatest concerns is always security. The Wordpress team of developers do a good job of releasing regular fixes but as always hackers inevitably find loopholes and exploits in each new version. Left in its default state Wordpress can prove particularly vulnerable so here is a list of simply steps you can make to ensure your Wordpress blog or website is hacker proof.

Step 1: Delete the Wordpress version information that appears in the header template.

This is the first step you should take as it tells hackers who view the source code of your Wordpress site what version your using. If they know the specific version then they may be able to exploit certain loopholes. Simply delete the string that looks like this (see below) in the particular theme folder you have installed.

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
<!– leave this for stats please –>

Step 2: Ensure your plugins folder isn’t viewable.

Now this can be achieved in two ways you can simply upload an index file (i.e. index.html) in the plugins folder or make sure that directory browsing is turned off. If your using a web host that supports cPanel then this is straightforward as you can use the Index Manager to turn off indexing for the public_html folder where your web files are uploaded. If a hacker can see the plugins your using then they will be able to exploit potential loopholes in them.

Step 3: Restrict access to your wp-admin folder.

If a hacker knows your using Wordpress then they will be able to guess the login url for the admin area and this will expose your Wordpress login page to a lot of punishment. So its best to restrict access to this folder via IP address. Now if you have a static IP address then great otherwise this maybe tricky as your ISP may change this frequently and you’ll have to manually change your IP each time. To restrict access you can use the .htaccess file with the following code uploaded to the wp-admin folder.
order deny,allow
allow from 127.0.0.1 # Change this to your particular IP address
deny from all


Step 4: Stop wp-admin and wp-includes from being indexed by search engines.

This may seem hard to believe but its happened to me in the past so you’ll want to ensure you have your trusty robots.txt file set-up so that these folders aren’t crawled by search engine spiders or those pretending to be search engines. The code you’ll need looks like this (see below) and in should be uploaded to the root directory.
User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/


Step 5: Keep Wordpress up to date.

This may seem like a no brainer but its easy to lose track of what versions of Wordpress you have installed and on what sites. If you have a web host that supports cPanel then your in luck as upgrading is usually a one click process. If you don’t then you’ll have to upgrade manually. This doesn’t take too long and Wordpress has detailed upgrade instructions however if you have several websites to upgrade then it can be a pain.

Further Recommendations for Wordpress Security

Hardening Wordpress with htaccess

An excellent article that shows you how to beef up security using the .htaccess file.

Wordpress Development Blog

Visit the Wordpress blog frequently as they will announce any security loopholes and fixes.

Wordpress Scanner

Great security tool that lets you scan your Wordpress website for security flaws. Simply download the plugin, upload and activate it and then visit the scanner page. Don’t forget however to deactivate the plugin afterwards as it will leave you open to others scanning your site for the same flaws.