• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Tips and Tricks HQ

  • Home
  • Projects
    • All Projects
    • Simple WP Shopping Cart
    • WP Express Checkout Plugin
    • Accept Stripe Payments
    • WP Download Monitor
    • Easy HTTPS Redirection
    • WP Security and Firewall Plugin
    • WP eStore Plugin
    • WP Affiliate Platform
    • WP eMember
  • Products
    • All Products
    • Checkout
  • Support
    • Support Portal
    • Customer Only Forum
    • WP eStore Documentation
    • WP Affiliate Software Documentation
    • WP eMember Documentation
  • Contact

Essential WordPress Security Tips – Is Your Blog Protected?

Home » Blog » Essential WordPress Security Tips – Is Your Blog Protected?

Last updated: May 18, 2015





I have been revisiting the various security settings of my WordPress blog after the sudden database table corruption of this blog for unknown reason last week. In this post I have highlighted some of the security tips that can help protect your blog from possible outside attacks.

blog_security_128_2

A lot of the security tips covered in this article is offered as a feature in our WordPress Security Plugin

Also, checkout the following two WordPress security articles that we published:



  • Secure Your WordPress Site Against Brute Force Attacks
  • Advanced WordPress security tips

Use Strong Passwords for all Entry Points

I was surprised to find out how many of my friends use the WordPress admin password generated by WordPress during install time and thinks that their blog is protected from attacks as they are using a strong password! The WordPress admin password generated during install time is normally pretty strong (consists lowercase and uppercase letters with numbers and symbols) so there is nothing wrong with that. I was mainly shocked to find out that their ftp/cPanel password for that domain is not that strong. It gets even better… one of them were using his partners name as the password (Did I mention that his partner’s name was mentioned on his blog’s ‘About’ page?)! The ftp/cPanel password for your domain is equally important. If someone can access your cPanel then that person can delete your WordPress database from the cPanel->Databases->MySQL Databases. Anyway, the bottom line is to use strong passwords for all entry points not just one.

Add a CAPTCHA on your WordPress Login page

Adding a simple captcha to your WordPress login page is another great way to minimize the chance of a bot/script gaining access to your site via a brute force attack. Read the adding captcha to login page tutorial to learn how to enable it on your site.

Protect the ‘wp-admin’ Directory

Use a .htaccess file in the ‘wp-admin’ directory to limit access to only certain IP addresses (your home, work etc). The WordPress htaccess tips post has more htaccess related tips and tricks. Below is an example .htaccess file that can be used for this purpose (replace ‘x’ and ‘y’ with your IP address)

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from xxx.xxx.xxx.xxx
# whitelist work IP address
allow from yy.yyy.yyy.yyy

If you don’t have static IP addresses then the above method can be a bit hard to implement. In that case you could use the AskApache Password Protect WordPress plugin. That plugin adds good password protection to your WordPress Blog. Use the Login Lockdown feature of the All in One WP Security Plugin to protect your blog against brute force attack (a brute force attack is a method of defeating a cryptographic scheme by systematically trying a large number of possibilities)

Deny access to your Plugins and other directories

A lot of bloggers don’t protect access to their WordPress plugins directory. What I mean by this is that if you go to the www.your-domain.com/wp-content/plugins/ from a browser it shows all the plugins that you are using. Many wordpress plugins can have vulnerabilities which the attacker can use to harm your blog. So, its a good idea to block access to these directories. You can use a .htaccess file or just upload a blank ‘index.html’ file to that directory to block access to these directories. (download a blank index.html)

Update WordPress to the Latest Release

As new WrodPress versions are released the security bugs for previous release becomes public information. WordPress could have vulnerabilities as a result of how the program is written that allow an attacker to pass HTTP arguments, bad URI strings, form input, etc, that could cause Bad Things to happen. So always upate your WordPress to the latest version to make sure that you are protected against any known security bugs.

Don’t Show WordPress Version on Your Blog

You should not make the WordPress version that you are using visible to others for the same reason explained above. The specific WordPress version that you are using can give the attacker an upper hand in finding a way to break in.

Backup Your Data

I can’t stress this enough… always keep backups of all the important files. I always backup my WordPress Database and WordPress files in case of emergency. Read my what would you do if you lost all your blog’s content article to find out how backups can help you sleep better at night 🙂

Be careful when you upload something to your site

When you upload a script (example: a plugin, a theme or just a normal script) to your site you need to be extra careful as it can harm your site if it was designed to do so. Only upload authentic content to your site. Never download a plugin or a theme from a warez or torrent or file sharing sites. The content on these sites can be disguised as a plugin or a theme but it will harm your site when uploaded to your server. You can read more on these types of attack from the free premium plugin and theme downloaders beware article.

Checkout the advanced WordPress security tips article for more tips.

Feel free to share your thoughts and wordpress security tips in the comment area below.

Related Posts

  • How do I Start a Blog and Make Money Online?
  • What Would You Do If Somehow You Lost all Your Blog’s Content?
  • How to Create WordPress blog posts and pages (Video Tutorial)
  • How to Create and Display Favicon to Make Your Site Stand Out in The Pile of Bookmarks

Blog Setup,  Featured,  Web Development Blog Setup,  protect admin login,  Security,  Web Development,  web masters,  Wordpress,  wordpress security,  WordPress security tips

Reader Interactions

Comments (54 responses)

  1. Laren says:
    February 6, 2014 at 2:42 pm

    Back up data! Key point. Speaking from the painful and time consuming experience of my computer crashing and losing all my data and blog entries. And update to the latest version of WordPress…good tips to cover, thank you much for sharing them.

  2. Sonicjar Music says:
    April 4, 2013 at 6:41 am

    Thanks man!! this really helped.. Just Secured our plugin directory!

  3. Impact Ads says:
    July 27, 2012 at 1:18 am

    Thanks for the info. Had a guy take down a site belonging to one of my clients. Want to do everything I can to protect his new site.

  4. Timber says:
    June 12, 2012 at 7:00 am

    Thanks for all the tips, very good advice and I will put into practices straight away.

  5. Peter says:
    June 4, 2012 at 10:57 pm

    I think it is important that you follow those tips. For myself, I also have one measure to help protect my site. Instead of using normal FTP application to connect to the site, I use Secure FTP application to upload my stuff. This way, it prevents hackers from listening in to the connection and finding out what my passwords are. This should be particularly useful for web design companies.

  6. Fotografia de Casamento says:
    March 29, 2012 at 7:55 am

    After an exploit attack I decided follow this steps and never more I had an atack. The issues are reliable. Thanks a lot for these valuable information!

  7. admin says:
    March 28, 2012 at 10:17 pm

    You can simply add the following line of code in your theme’s functions.php file and it will do the job:

    remove_action('wp_head', 'wp_generator');

  8. Sagar says:
    March 28, 2012 at 10:49 am

    I use login lockdown to protect my blog, how do I hide the WP version from my blog?

  9. Anita Clark says:
    February 12, 2012 at 1:27 pm

    For those of us that rely on our sites to drive business, it’s imperative to both backup and protect our information and the database too.

  10. Mike says:
    February 4, 2012 at 6:41 pm

    some things never change, like doing regulary backups and updates.
    We are using now WordPress 3.3, but your article from March 2009 still is up to date 😉

  11. Linda says:
    December 18, 2011 at 12:01 am

    these tips aren’t just applicable to wordpress, alot of them can apply to joomla or other cms platforms

  12. Rockabilly Clothing Australia says:
    November 20, 2011 at 1:14 am

    Excellent tips mate,
    I always found it hard to administrate my wordpress site
    so your tips are a godsend 😉

  13. admin says:
    October 4, 2011 at 7:19 pm

    Go with WordPress 🙂

  14. New Look Discount Code says:
    October 4, 2011 at 3:40 pm

    Is WordPress the best software to use for blogging? I’m looking to add a blog to my website but am not sure which type of blog software i should go for. Any tips?

  15. USANA says:
    September 22, 2011 at 7:37 am

    The problem with some of my .htaccess file contents disappearing occured when updating permalinks. It appears that was because my custom entries were inserted between the # BEGIN WordPress and # END WordPress comments. Moving my entries outside the WordPress BEGIN END solved my problem.

  16. vchileshe says:
    September 9, 2011 at 12:05 am

    Thank you for this wordpress tips. Strong password is a good start and then learn to use the htaccess file to secure your website. its a jungle out there!!!

  17. kevin says:
    August 29, 2011 at 3:59 pm

    Ha! I wish I’d read this last week. thanks for the tips

  18. Zumba High Wycombe says:
    August 3, 2011 at 6:44 am

    I’m just looking into setting up a wordpress site, so thanks very much for the great information. Book marking this now to keep returning back as I configure mine.
    Thanks

  19. Arsenal blog says:
    July 6, 2011 at 10:14 am

    I have started my blog and have been looking for tips….wordpress or blogger?

  20. admin says:
    May 23, 2011 at 8:40 pm

    If you are on a shared server then it is hard for you to do anything on your end if the server gets hacked (if the root account gets hacked then there is nothing you can do). Just make sure to take regular backups so you can restore from a know point.

  21. Brand says:
    May 23, 2011 at 10:31 am

    Great tips, although is there any way to protect WordPress from other websites on a shared server getting attacked (i.e. to limit potential damage)?

  22. web design says:
    March 30, 2011 at 8:55 am

    Nice technique as I ever seen.

  23. SEO says:
    March 21, 2011 at 1:02 am

    Whoa, very cool WordPress security tips… thank you for share

  24. Mailing Fulfilment Services says:
    March 15, 2011 at 11:06 am

    I stick to a policy of using 6 letters and 6 numbers. This is the case for all of my passwords, not just my wordpress and blogspot ones.

  25. Allen Resha says:
    February 15, 2011 at 6:03 am

    I have had my blogs hacked a few times. It is not fun to have to fix it. Since this has happened I have taken measures to keep it from happening again. This article adds insight and has given me some new ways to ensure that I don’t get HACKED again!

  26. Johnie says:
    February 1, 2011 at 8:36 am

    ! I’ve been searching for some decent stuff on the subject and haven’t had any luck up until this point, You just got a new biggest fan!

  27. Kirk says:
    January 18, 2011 at 3:51 pm

    Many Thanks, i atleast can walk away knowing i’m a bit more secure without calling security LOL..

  28. robin says:
    January 11, 2011 at 12:18 am

    Wow great article very interesting

  29. รับทำเว็บไซต์ says:
    January 2, 2011 at 11:07 am

    OMG Useful tips 🙂

    Thanks you

  30. John Gamings says:
    January 2, 2011 at 4:50 am

    Wow this is incredibly helpful. I’m fortunate enough to never have had any security troubles but I know a guy who got his blog hacked into and it cost him thousands. Thanks so much for this article

  31. admin says:
    November 22, 2010 at 9:07 pm

    Use the “Akismet” plugin.

  32. Mark says:
    November 22, 2010 at 8:12 am

    I know this post is predominately about preventing your blog from being hacked however, how do you prevent the endless amount of spam comments that a blog receives. Admittedly i turn comment moderation on so i can delete them before they are added to the blog but it is laborious to keep deleting spam comments. Is there somewhere within the settings of WordPress, or indeed a plugin i could use to stop these comments?

  33. Dukes says:
    November 10, 2010 at 5:46 pm

    It looks like that picture is covering a solid paragraph of your post. As for people hacking into wordpress accounts, wow. I’ve never been that unlucky, or known anyone that unlucky. I have to give it up to the hackers that have though.

  34. Chloe @ Cheap dog clothes says:
    September 14, 2010 at 2:33 pm

    Very useful tips, especially the .htaccess part. Thanks a lot!

  35. iluminação says:
    June 15, 2010 at 7:48 am

    I recently made a wordpress based hotsite to my company. After reading this post I decided add all protections listed above.

  36. decoupage says:
    June 15, 2010 at 7:44 am

    Recently I’ve received a lot of spams through contact form. I’ll try add the suggested protections. Thanks for the tips.

  37. Ningbo says:
    May 18, 2010 at 9:03 am

    THANK YOU for your great and useful article!

    I would also suggest to rename the famous “admin” default username by something totally different.
    To rename the admin or any other username you can try WP Optimize (http://wordpress.org/extend/plugins/wp-optimize/) , it does the job in 1 second…

    Thanks again for sharing!
    Paul

  38. iolo says:
    March 17, 2010 at 3:20 pm

    Hi, Thumbs up tips!

    I’m wondering if there any way that may help change or just rename wp-admin URL to something else!
    for example instead of wp-admin/profile.php i suppose it shoud be example.com/[UserName]/profile.php or example.com/[RandomNumbers]/profile.php

    Thanks in advance

  39. Riva Sinjal says:
    February 11, 2010 at 9:32 am

    Nice tips… There are also a few useful security plugins in the wordpress plugins repository

    * WordPress Firewall – Identify and stop most obvious attacks (sql injects).
    * Security Scan – Scans your WordPress installation for security vulnerabilities and suggests corrective actions.
    * CopyrightPro – Disable right click on your WordPress, disable selection of text,
    and protects from iframes.

  40. Albert says:
    December 28, 2009 at 3:02 pm

    Ya nice tips. We should back up our data because hackers can do anything at any time. So backup your data to protect the data base.

  41. Danny says:
    November 3, 2009 at 3:18 pm

    Nowhere did I see FTP as a concern. I think it should be, as the security is pretty basic and not as good as SSH.

  42. Madeglobal says:
    September 14, 2009 at 11:59 am

    You could also try the “better-protected-pages” plugin available from http://www.wordpress.org/extend which allows your users to “re-lock” a password protected page when they have finished reading it. We found this to be a major problem on public computers because the password protected page remains “unlocked” even when you log out or close the browser … the plugin fixed this issue.

  43. admin says:
    March 28, 2009 at 8:14 pm

    Hi RaiulBaztepo, You are most welcome. Who said your English is bad? 😛

  44. RaiulBaztepo says:
    March 28, 2009 at 7:57 pm

    Hello!
    Very Interesting post! Thank you for such interesting resource!
    PS: Sorry for my bad english, I’v just started to learn this language 😉
    See you!
    Your, Raiul Baztepo

Leave a Reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Featured & Popular Articles

Video Answers to Top WordPress QuestionsWordPress Optimization Tips and Tricks for Better Performance and SpeedEssential WordPress Security Tips - Is Your Blog Protected?WordPress Simple PayPal Shopping Cart PluginTop 15 Search Engine Optimization (SEO) Techniques I Forget to DoList of the Best and Must Use WordPress PluginsHow do I Start a Blog and Make Money Online?Good Domain Name Picking Tips for Your Blog SetupFind Out Which WordPress Web Hosting Company Offers the Cheapest and Reliable Web Hosting Solution

Featured WordPress Plugins

WP Express Checkout Plugin
wordpress estore plugin
wordpress membership plugin
wordpress affiliate plugin

Recent Posts

  • How to Use Browser Developer Tools to Inspect Elements and [...]
  • Accept Donations via PayPal from Your WordPress Site Easil [...]
  • Buy Now Button Graphics for eCommerce Websites [...]
  • Subscription Button Graphics for eCommerce Websites [...]
  • Adding PayPal Payment Buttons to Your WordPress Sidebar Ea [...]

Comment & Socialize

  • @Rob, We have just released ...
    - admin
  • I installed the plugin a co ...
    - Rob
  • @Sebastian, We've released ...
    - admin
  • I've used this plugin on a ...
    - Sebastian Djupsjöbacka
  • @John, this plugin doesn't ...
    - admin

Check out our solutions

View our WordPress plugin collection and start using them on your site.

Our WordPress Solutions

Footer

Company

  • About
  • Privacy Policy
  • Terms and Conditions
  • Affiliate Login

Top WordPress Plugins

  • Simple Shopping Cart
  • PayPal Donations
  • WP Express Checkout
  • WP eStore
  • WP eMember

Blogging Tips

  • How to Start a Blog
  • Selecting a Good Domain
  • Cheap WP Hosting
  • WP Video Tutorials
  • Simple SEO Tips

Search


Keep In Touch

Copyright © 2025 | Tips and Tricks HQ