There’s nothing like starting out the New Year securing your WordPress blog. We all know that WordPress is really quick and easy to install but out of box it’s not necessarily configured to be fully secure or as secure as it could be. Keeping WordPress secure is not a full time job but a few simple tips and “hacks” implemented at any time post install will reduce the chances of your blog being the victim of remote malicious activity.
Working on a client job recently I was asked to review the general security of a site and come up with recommendations on how best to improve the security and reduce the chance of remote malicious activity. My review included these tips below all of which were implemented on the clients site in question.
Server level “hacks”
Hide folder directory listings
To prevent nosy intruders from looking at what plugins or themes you have installed you can quickly install a blank index.html or index.php file in those folders. This will give a blank screen when those folders are accessed directly, hiding your plugin and theme information. If you are creating a blank index.php then put the following code inside:
<?php // silence is golden ?>
Save this file as index.php and ftp or SSH to your
WordPress configuration changes
Move wp-config.php – this is a simple tip. Relocate your wp-config.php file to the directory / folder one up from your blog. So, if your blog is located in
then you would move wp-config.php from that folder to
It’s that simple providing you’re running WordPress 2.6 or greater. You’ll need ftp access or you can do this through an SSH connection. A great tip giving you peace of mind about your database and other configuration settings.
Add security keys in wp-config.php
First available in WordPress 2.6 and updated in 2.7 these security key settings ensure better encryption of information stored in user cookies when accessing your site. The keys can be anything, preferably difficult and lengthy (they won’t need to be remembered as they are set and forget) and you make the change by editing your wp-config.php file. To save you having to think of four phrases there is a great secret key generator at wordpress.org for you to use and it even makes creates the code for a true copy and paste experience. So, download and edit in your favorite text editor (or edit via SSH) your wp-config.php file, click on the secret key generator and then paste in the 4 lines of code to replace the multiple “define…” statements. Here’s the output I got from clicking on the key generator link:
define('AUTH_KEY','m/if.C66;t%7-~+,lL~x-|~s?Rv5uH?EpsO qc$u}h(`iC19|;}>RifWdX8x6I_v'); define('SECURE_AUTH_KEY', 'J|xwv@Hws vO2rbVV ]WqicA.`,87bc2_otEi&Xdy+!O2-yWI,*3nSB?t%iIhcN,'); define('LOGGED_IN_KEY','6%}M[D(Ymt?CU*PhksOJr@G9us!dg0A&@$X-+KBe&GcfcYUw8v!u+)J)*6Oc?R98'); define('NONCE_KEY','rcsEsaT9rzY)HTo08i2|qKhfl>j^x}u:vb/oC2dZvzhi/_r;>+Lz&-~`$p+w&-tQ');
Removing login error messages – this little tip will quite simply remove the error message from being displayed on the WordPress login page. This tip is theme based (so remember this if you switch themes) and you add one line into the themes functions.php. Here’s the line, place it at the bottom of the file:
add_filter('login_errors',create_function('$a', "return null;"));
Rename the “admin login id” – another simple and effective tip. The default administrator login name in WordPress is “admin” (although for new installations you can change it at install time). This tip works well for existing installations. By changing this to something only you know this will help protect your blog from random attempts to login with administrative privileges. So on an existing blog you’ll need access to your WordPress database and in particular the “wp_users” table. It’s likely you’ll have phpMyAdmin available as a tool to work with your databases. You’ll need to get to the bit that allows you to run a SQL command. Here’s the command:
update tableprefix_users set user_login='newuser' where user_login='admin';
Note: “tableprefix” is usually “wp_” and “newuser” is the name you want your admin login to be. For example : “banana” or “alongadminusernamethatwillbedifficulttoguess”.
If you have any tips on securing your WordPress installation and you are willing to share them 🙂 please leave a comment.
Sean Hayes – professional WordPress consulting What to do if your blog has been hacked · February 23, 2010 at 6:03 pm
[…] admin and FTP passwords regularly is always good practice but there are more hints and tips in my WordPress Security […]