10 Exclusive Tips To Secure Your WordPress Site – Part 1

Hey guys, Today we are discussing about WordPress Security Issues and its solutions. So, lets start! We know that, WordPress is the best and most popular open source platform for any kind websites. Because of this, everyone knows its back-end files, settings and its coding structure, and the main thing is, the hackers can easily hack your site. But, don’t get afraid. Their are some solution for this problem. So, what we do is, we must secure our site with the help of some extra codes and some security plugins. So, in this article,  I’m going to share some most important and exclusive 10 security tips for you [Part-1]. On my next article [Part-2] , I will share 10 more security tips for strengthening you WordPress site.

Secure Your WordPress Site: Tip – 1

Change If WordPress installation Address Is The Same As The Site Address

In most of the sites, the WordPress core files are installed in same site address. So, the hacker knows the exact location of every core files of your site! Our mission is to move WordPress core files to any other non-default directories. This will ensure more and more security to your WordPress site.

For example: If your current and default location of your wordpress location is www.mysite.com. Just move to www.mysite.com/New directory/   or www.mysite.com/New-directory/mysite/

The default site address can be changed from your admin area (Settings->General). If you need more help, you can watch this video tutorial.

Secure Your WordPress Site: Tip – 2

Keep WordPress Core Is Up To Date

Keeping the WordPress core up to date is one of the most important aspects of keeping your site secure. If vulnerabilities are discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attacks, and is one of the primary reasons you should always keep WordPress up to date.

Thanks to automatic updates updating is very easy. Just go to Dashboard – Updates and click “Upgrade”. Remember – always backup your files and database before upgrading!

Secure Your WordPress Site: Tip – 3

Keep The Plugins And Theme Up To Date

As with the WordPress core, keeping plugins and themes up to date is one of the most important and easier way to keep your site secure. Since most plugins and themes are free and therefore their code is available to anyone having the latest version will ensure you’re not prone to attacks based on known vulnerabilities.

If you downloaded a plugin from the official WP repository you can easily check if there are any upgrades available, and upgrade it by opening Dashboard – Updates.

Secure Your WordPress Site: Tip – 4

Check If Full WordPress Version Info Is Revealed In Page’s Meta Data

People with bad intentions can easily use Google to find site’s that use a specific version of WordPress and target them with 0-day exploits.

Place the following code in your theme’s functions.php file in order to remove the header meta version info:

function remove_version() {
return ”;
add_filter(‘the_generator’, ‘remove_version’);

Secure Your WordPress Site: Tip – 5

Ensure That Security Keys And Salts Have Proper Values

Security keys are used to ensure better encryption of information stored in the user’s cookies and hashed passwords. You don’t have to remember these keys. In fact once you set them you’ll never see them again. Therefore there’s no excuse for not setting them properly.

The security keys are 8. You can generate the codes from the WordPress site. Don’t worry, It will generate different keys on every page refresh. Just add the 8 codes in your wp-config.php from line 45 to 52. Check an example given below.

Secure Your WordPress Site: Tip – 6

Secure Your wp-config.php With chmod

WordPress wp-config.php contains all your sensitive data such as your database username, password etc. So, you must secure wp-config.php for prevent your website from hacking.  So ,try setting chmod to 0400 or 0440 and if the site works normally that’s the best one to use. You can do chmod easily through FTP client (filezilla). Sometimes, setting 0400 or 0440 is not possible through FTP clients, so you can chmod through the cpanel -file manager. If you’re hosting on a Windows based server you can skip this tip!

Secure Your WordPress Site: Tip – 7

Secure Your .htaccess With chmod

.htaccess is the main file that control your site. Because .htaccess can allow/restrict the permission to access your secure files, folders and lot of security issues. For example, if a hacker accessed your .htaccess file, he can easily destroy your site by changing the permalink structure, force rewrite codes to files etc. So, you must secure your .htaccess file by using chmod 0400 or 0440 by the same way we used to secure wp-config.php. If you’re hosting on a Windows based server you can skip this tip!

Secure Your WordPress Site: Tip – 8

Deny Access To install.php

If you are a site admin you know that how to install a WordPress site. I’m I right? So, the hacker knows the location of install.php in your site. If he accessed install.php, he can hack your site! So, my advice is, Once you installed WP this file becomes useless and there’s no reason to keep it in the default location (in wp-admin folder) and accessible via HTTP. Just delete it or rename install.php to install-8792.php or install-akhil98.php etc.

Another important thing regarding install.php is: Ok, you will delete install.php after your site installation. But, did you deleted after your WordPress upgrade? After upgrade, install.php will come back:-) So, don’t forget to delete install.php after your WordPress upgrade!

Secure Your WordPress Site: Tip – 9

Deny Access To upgrade.php

upgrade.php is a helpful file. It will help you to upgrade your WordPress site. With your permission it’s good. But, without your permission, its really not good! Because upgrade.php can modify or change your database. So, my suggestion is to delete or rename upgrade.php from the default location (in wp-admin folder). When the time come to upgrade your site, just restore or rename the file for upgrading!

Secure Your WordPress Site: Tip – 10

Deny Access To readme.html

Accessing readme.html will reveal your site identity. The readme.html file contains your WordPress version info and if left on the default location (WP root) attackers can easily find out your WP version. For better security, just delete it or readme-87547.html or you can even move it to any other location. Our only mission is to deny access to the file through HTTP.

Hope these tips will help you. Wait for my next article [Part-2]. Thanks!


  1. This is a great list of things to do to secure your WordPress site…

    I’ve done a fair bit of research into securing WordPress sites myself…

    I’ve written up my experiences in a comprehensive WordPress Security Checklist which can be downloaded for free on http://www.wpsecuritychecklist.com.

    My checklist has a some more items listed and steps for how to get the job done.

    Hopefully the checklist can help other people securing their WordPress sites…

    By the way… I think you need to check the placement of your social buttons share bar :-)

  2. I have WP site owners come to us frequently. Most of the security issues are due to:

    – Outdated core WP
    – Outdated Plugins
    – Bad passwords

    A major issue is plugins. I have see several plugins that include other code. While the plugin author may update their code, they do not update the include code. This was certainly the case with the Timthumb hack (http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/).

    One tip I offer here (http://www.rackaid.com/resources/wordpress-tips/) is to pick popular plugins that are updated regularly. Don’t use obscure plugins that do not have regular updates. Doing this and keeping your WP up to date will save a lot of trouble.

    If you have multiple WP installs, check out http://www.managewp.com/ as it can help you keep them updated.

    Lastly, I am experimenting with WPScan – a WP specific security scanner – and will post results to our blog.

    I think:
    – Running WP under mod_ruid, fast-cgi, SuPHP to assure the WP install runs under the user ID
    – Using good passwords
    – Keeping things updated
    – WPscans regularly or after any plugin/coding/theme changes

    These list really lays a great foundation for a operating WP.

Leave a Reply

Your email address will not be published. Required fields are marked *