Wordpress Security

In a rush? Here are 5 quick ways to secure your WordPress blog. At the very least follow these steps.

1. Delete the default administrator

Create a new administrator with a complex username, login with that account and delete the default administrator. Leaving the administrator’s username as “admin” makes cracking your login details 100% faster.

Why you need to delete the default administrator (and how to actually do it).

2. Create a really strong password

Passwords can never be too complex. Use a password manager to make remembering passwords easier, and consider using strongpasswordgenerator.com to generate the password itself.

3. Install all the plugins listed in our Plugins section

But the most important 3 to install are:

• Antivirus for WordPress, which scans your WordPress blog for malware and worms.
• Login Lockdown, which helps fight against brute force attacks.
• WP-DB-Backup, to backup your WordPress database via email.

4. Move wp-config.php

Login to your server via FTP and move the wp-config.php file to the parent directory. If it currently resides in /public-html/blog then move it to /public_html/. But if it’s in /public_html/ then move it to the top level directory, /.

5. Stay aware

Subscribe to the WordPress Development Blog and wpsecure.org feeds to remain up to date on all the latest security exploits that may affect you and your blog. Awareness is half the battle.

There are thousands of people who have indirectly contributed to this project but here are the people who have directly contributed content or inspiration:

• Peter Cooper of RailsInside.com
• Joel Williams of BlogTechGuy.com
• Dan Schulz, a SitePoint advisor and SEO.com administrator
• John of WPBlogHost.com
• Syed Balkhi of WPBeginner.com

Secure WordPress is a resource I wanted to have myself, a compete checklist and walkthrough of all the security topics relating to self-hosted installations of WordPress. But since there was so little talk online about these topics (beyond the basics, which we do cover still) I decided to make it myself.

The History

The idea for Secure WordPress first came to me in about June of 2009. I’d been thinking of things I could write an eBook about to sell, and WordPress security just seemed like a great topic to cover.

I soon decided that it’d feel wrong to sell information that is so critical to WordPress bloggers, so the plan was to compile a nice looking PDF file and then distribute it for free as a way to gain recognition from a blog I’d yet to launch (but is going strongly now), Adventures of a Barefoot Geek.

But even the idea of using a PDF seemed sort of archaic, especially since I wanted this to be an evolving resource. Then at 10pm one night I registered wpsecure.org and got to work, setting up this blog, adding all the content from the Pages document I’d been working on. And that’s how this project came about.

Security is such a huge topic that there are literally millions of things you can do to prevent malicious attacks. But sooner or later you have to draw the line between security and feasibility.

I’ve written this guide as a series of different tactics, as opposed to a step by step plan. You can skip ahead to pretty much any section and start implementing the methods outlined.

And don’t feel like you have to do everything. Obviously the more road blocks you setup for malicious hackers the better, but I imagine using every tactic I write about on a single blog could make it frustrating even for authorized users.

It’s also important to remember that these tactics don’t replace common sense and the fundamentals of security. Don’t go handing out your usernames and passwords to people or leaving yourself logged into your accounts on public computers. And if those ideas sound foreign to you I’d suggest starting with a more basic introduction to security, because this guide is aimed at the down and dirty, in the trenches side of things.