How to Secure WordPress Part 1 – The Basics


WordPress is easily one of the most popular web applications in use, and that makes it quite a target for malicious hackers using PHP injections, SQL injections, Cross-Site Scripting and many others to compromise blogs that are not secure.

You see, WordPress made its bones on how easy it is to install and use. Users quickly get hung up on finding, or designing, the right template for the blog’s UI and activating all the plug-ins needed to enhance the site’s functionality. Unfortunately not many people give securing WordPress a second thought.

WordPress, being a web application, offers attackers many different ways to exploit the software. This guide will help you better defend your WordPress site against these malicious attacks to keep your site up and running.

The Installation

Securing any web application should start with the installation process. As stated earlier, the WordPress installation is ridiculously easy. However most hosting companies make installing WordPress even easier by using installer tools, like Fantastico, to automate the installation. Don’t use these tools, they often configure your software with default settings that attackers look for when choosing a target.

Instead of relying on an installer, download the latest version of WordPress and upload it to the directory on your server where you wish to host your blog. You can follow the easy five minute installation guide, but there are a few things that we are going to address to make WordPress more secure but before we get started, you are going to need to do a few things before and during the installation:

  1. When creating the database (before the installation process) be sure to name the it something that does not identify it as the WordPress database.
  2. During the installation process make sure to change the default database table prefix from “wp_” to something less conspicuous.
  3. Change the default username from “admin” to something else.

Of course I would be neglect if I didn’t remind you that you need to use strong passwords for everything, including your FTP authentication, usernames, databases, etc.

After the installation

Once the installation process is complete there is still quite a bit of work to be done securing WordPress.

Step 1 – Authentication Keys

The authentication system of WordPress can be improved to add more security to your site by adding unique, or secret, keys. These can be obtained by visiting Here you will find a set of randomly generated keys that look like this:

define('AUTH_KEY',         'N4 <I0 ~l70/=<y>BTvm9m.zX^N+4L@OK~;=,JqXZb58V6exiR_R^QSm|z0-Ts+N');

define('SECURE_AUTH_KEY',  '=j+({-GRWxYbAU[-|tfU@_2[p>:Yl(VV3uq}ZdM) h)cG+/anf}c,}{@oVD8 kzl');

define('LOGGED_IN_KEY',    'wK:WK:)[0.d`5k;r&[~8.3DcuOee?:W9!b$]odZ^v/(IiMdb0O?<IB?mdHf3`VCC');

define('NONCE_KEY',        'mG-VUfq/A4:?3}a|B<*NdGyk^wE*_`zRJX[VVfvm&y/B;%9O[bX/A5j3rkW*d.jA');

define('AUTH_SALT',        '2>N6igpu*Idk+%=&6]Z4Vc)-;/BOdiec0=N?sgcWK4$|T8kJP1>]/Nn%r*QP9|n^');

define('SECURE_AUTH_SALT', 'F#9^SVxj6ZO_*J0%CGUFK}P !q-v<N(Is|h@<N,ze6sQ+%n@fk[-y-zBJQS!:hIs');

define('LOGGED_IN_SALT',   'evjn3aEM0UA8UF|du|I]WSG.i_B|@)^=.-5-qY)p}m9[kwVD|gjVOj[l_(?S9W%<');

define('NONCE_SALT',       ':YLC?hr7D<))Jt9S;U#+7c9Nsk148rImy;M8NWHCEYaqr0he]tE}JV9vrRtE/ppe');

Highlight and copy this text and open your wp-config.php file in a text editor. Right below the database credentials, paste the copied keys into the file, save it and upload it back to your server.

Step 2 – Change your permissions

As a general rule, your permission levels should be set as follows:

Folders – 755

Files – 644

Some templates and plug-ins may find these settings to restrictive so you may have to increase them. If you are in this position, try to find a balance between usability and security.

Step 3 – Move your wp-config.php file

You don’t want anyone having access to your configuration files. To better protect it against prying eyes and malicious activity move it out of the website’s root directory and into the parent directory. For example:


Can be moved to:


Step 4 – Move your wp-content directory

Just like the configuration file, the content can be moved. But why would you want to do this? So attackers have a harder time finding your themes, plug-ins and uploads.

Once you have moved your directory you will need to make some adjustments to your wp-config.php file. Add the following lines:

define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );
define( 'WP_CONTENT_URL', 'http://example/blog/wp-content');

You may also need to define the new location for your plug-ins here by adding these lines to the file:

define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );
define( 'WP_PLUGIN_URL', 'http://example/blog/wp-content/plugins');

Step 5 – Lockdown the wp-admin directory with .htaccess

Create an .htaccess file in your wp-admin directory with the following lines:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny, allow
deny from all
#IP whitelist
allow from xx.xx.xx.xx
allow from xx.xx.xx.xx

Remember, substitute a static IP address for the xx in the code. Don’t use this unless you have a static IP address or your could find yourself locked out.

In part two of the series we will look at some plug-ins that can help you further secure your WordPress site.

By Jeff
Jeff is a freelance writer and the editor of Developer Drive. He writes on web development topics with a focus on web application security. In his spare time he coaches youth football and works as a technology coordinator for the Palm Beach County school district. More articles by Jeff
Home CSS Deals HTML HTML5 Java JavaScript jQuery Miscellaneous Mobile MySQL News PHP Resources Security Snippet Tools Tutorial Web Development Web Services WordPress