WordPress is easily one of the most popular web applications in use, and that makes it quite a target for malicious hackers using PHP injections, SQL injections, Cross-Site Scripting and many others to compromise blogs that are not secure.

You see, WordPress made its bones on how easy it is to install and use. Users quickly get hung up on finding, or designing, the right template for the blog’s UI and activating all the plug-ins needed to enhance the site’s functionality. Unfortunately not many people give securing WordPress a second thought.

WordPress, being a web application, offers attackers many different ways to exploit the software. This guide will help you better defend your WordPress site against these malicious attacks to keep your site up and running.

The Installation

Securing any web application should start with the installation process. As stated earlier, the WordPress installation is ridiculously easy. However most hosting companies make installing WordPress even easier by using installer tools, like Fantastico, to automate the installation. Don’t use these tools, they often configure your software with default settings that attackers look for when choosing a target.

Instead of relying on an installer, download the latest version of WordPress and upload it to the directory on your server where you wish to host your blog. You can follow the easy five minute installation guide, but there are a few things that we are going to address to make WordPress more secure but before we get started, you are going to need to do a few things before and during the installation:

  1. When creating the database (before the installation process) be sure to name the it something that does not identify it as the WordPress database.
  2. During the installation process make sure to change the default database table prefix from “wp_” to something less conspicuous.
  3. Change the default username from “admin” to something else.

Of course I would be neglect if I didn’t remind you that you need to use strong passwords for everything, including your FTP authentication, usernames, databases, etc.

After the installation

Once the installation process is complete there is still quite a bit of work to be done securing WordPress.

Step 1 – Authentication Keys

The authentication system of WordPress can be improved to add more security to your site by adding unique, or secret, keys. These can be obtained by visiting https://api.wordpress.org/secret-key/1.1/salt/. Here you will find a set of randomly generated keys that look like this:

define('AUTH_KEY',         'N4 <I0 ~l70/=<y>[email protected]~;=,JqXZb58V6exiR_R^QSm|z0-Ts+N');

define('SECURE_AUTH_KEY',  '=j+({-GRWxYbAU[-|tfU@_2[p>:Yl(VV3uq}ZdM) h)cG+/anf}c,[email protected] kzl');

define('LOGGED_IN_KEY',    'wK:WK:)[0.d`5k;r&[~8.3DcuOee?:W9!b$]odZ^v/(IiMdb0O?<IB?mdHf3`VCC');

define('NONCE_KEY',        'mG-VUfq/A4:?3}a|B<*NdGyk^wE*_`zRJX[VVfvm&y/B;%9O[bX/A5j3rkW*d.jA');

define('AUTH_SALT',        '2>N6igpu*Idk+%=&6]Z4Vc)-;/BOdiec0=N?sgcWK4$|T8kJP1>]/Nn%r*QP9|n^');

define('SECURE_AUTH_SALT', 'F#9^SVxj6ZO_*J0%CGUFK}P !q-v<N(Is|h@<N,[email protected][-y-zBJQS!:hIs');

define('LOGGED_IN_SALT',   'evjn3aEM0UA8UF|du|I]WSG.i_B|@)^=.-5-qY)p}m9[kwVD|gjVOj[l_(?S9W%<');

define('NONCE_SALT',       ':YLC?hr7D<))Jt9S;U#+7c9Nsk148rImy;M8NWHCEYaqr0he]tE}JV9vrRtE/ppe');

Highlight and copy this text and open your wp-config.php file in a text editor. Right below the database credentials, paste the copied keys into the file, save it and upload it back to your server.

Step 2 – Change your permissions

As a general rule, your permission levels should be set as follows:

Folders – 755

Files – 644

Some templates and plug-ins may find these settings to restrictive so you may have to increase them. If you are in this position, try to find a balance between usability and security.

Step 3 – Move your wp-config.php file

You don’t want anyone having access to your configuration files. To better protect it against prying eyes and malicious activity move it out of the website’s root directory and into the parent directory. For example:


Can be moved to:


Step 4 – Move your wp-content directory

Just like the configuration file, the content can be moved. But why would you want to do this? So attackers have a harder time finding your themes, plug-ins and uploads.

Once you have moved your directory you will need to make some adjustments to your wp-config.php file. Add the following lines:

define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );
define( 'WP_CONTENT_URL', 'http://example/blog/wp-content');

You may also need to define the new location for your plug-ins here by adding these lines to the file:

define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );
define( 'WP_PLUGIN_URL', 'http://example/blog/wp-content/plugins');

Step 5 – Lockdown the wp-admin directory with .htaccess

Create an .htaccess file in your wp-admin directory with the following lines:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny, allow
deny from all
#IP whitelist
allow from xx.xx.xx.xx
allow from xx.xx.xx.xx

Remember, substitute a static IP address for the xx in the code. Don’t use this unless you have a static IP address or your could find yourself locked out.

In part two of the series we will look at some plug-ins that can help you further secure your WordPress site.

By Jeff
Jeff is a freelance writer and the editor of Developer Drive. He writes on web development topics with a focus on web application security. In his spare time he coaches youth football and works as a technology coordinator for the Palm Beach County school district.
  • Neo


  • Anonymous

    No problem Neo, the second part to the series is coming soon.

  • Anonymous

    I’m developing with wordpress currently, I’m a beginner and I really appreciate this advice.

  • http://www.sitzsack-onlineshop.de/ Sitzsack

    A question at Step 3: My Blog is already in the parent directory. What do you suggest?

    • Anonymous

      Not sure what you mean. If you’ve already taken it out of the root directory then you can skip that step. Does that address your question?

  • http://twitter.com/MitchPopilchak Mitch Popilchak

    Just wondering.
    If you move config.php and change the directory structure
    What happens when there is a WP upgrade?
    Do you have to do it all over again? Will the upgrade get confused?


  • http://andrewnacin.com/ Andrew Nacin

    Good article. That said, the “security by obscurity” techniques used in steps 3 and 4 are not security-oriented and really don’t do much secure a site.

    Moving wp-config.php to the root of public_html still makes it supposedly publicly accessible. The ability to move wp-config.php up is actually designed for using /wordpress as an SVN external, so your root has /wordpress, index.php, wp-config.php, and /wp-content.

    And, moving your wp-content directory is quite common, but not for security reasons. Any person or bot targeting a site could just as easily check the HTML source, even, to detect the location of wp-content. The problem with a suggestion like this is it might make people actually believe they are securing their site, when in reality, the URL is still going to be publicly accessible.

    • robinrowell

      Thanks Andrew for that insight

  • http://www.widestate.com/ Baidya nath Singh

    I will implement it, may be useful for some specific websites.

Home XML WordPress Web Services Web Development Web Design Underscore Uncategorized Tutorial Tools SQL Server Social Apps Snippet SEO Security RoR Responsive Design Resources Python PHP News MySQL Mobile Miscellaneous jQuery JavaScript Java J2EE HTML5 HTML Design Patterns