Cartier Consulting

Securing Your WordPress Installation

WordPress is a great blogging platform. Perhaps the power of WordPress (hereafter referred to as WP) is best exemplified in its diversity. WP SecuritySites based on WP don’t need to only look and feel like a conventional blog site. You can apply themes, install and configure plugins to add or modify features, and restrict content to certain users, all the while maintaining a consistent base that is easily (usually 😉 ) upgraded through a few clicks in the admin dashboard interface.

This site is itself based on WP.

The purpose of this article is to share some tips for securing your WP installation. There are several techniques that may be applied to accomplish this; a combination is definitely best:

  • Remove the META tag containing the WP version reference in your header.php theme file. Such a line may look like this:
    <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
  • Avoid listing out what plugins are in use, especially along with their versions. Hackers can use this information to see if you are using an outdated version of a plugin and then use this information to exploit a weakness in the code. When they do this, they can gain complete access to your blog’s web space.
  • If your web hosting space is located on an Apache-based web server, place .htaccess files in the site root, wp-admin and wp-includes directories. This will help prevent visitors (a.k.a. hackers) from listing the contents of these directories out. While this is not bullet-proof, it does add a layer of protection. Here is the basic contents of such an .htaccess file:
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress

    If you do create such a file, be sure that the file name is only .htaccess and there is no file type extension on it such as .txt. The Apache web server will not interpret .htaccess.txt as a valid .htaccess file.
  • Create a blank index.html file and place it in your wp-content/plugins folder. This will make it more difficult for hackers to determine what plugins you are using. Here is the source code for a sample blank index.html file:

    <title>Access denied</title>

  • Install some of the better-known security plug-ins for WP. These are fairly easy to find, but here are some good suggestions. Note that these are best installed using your blog’s Admin Dashboard > Plugins > Add New menu and searching for the names. This lets you avoid having to manually unzip and upload files to the server:
  • Subscribe to the WoredPress Development Blog so you will get an early notice of upgrades and updates. This way, you can be proactive towards keeping your blog and its security up to date

Hopefully you have found this article useful. If so, please feel free to rate it, post comments, or better yet, trackback links on your own site(s).

1 Star2 Stars3 Stars4 Stars5 Stars (9 votes, average: 5.00 out of 5)


2 Responses to “Securing Your WordPress Installation”
  1. Swardello says:

    Great tips! I tried using an htacess file in my wp-content directory but it broke the built-in image uploader. You didn’t say to put one there, but I think that’s one of the most vulnerable folders.

    Thank you for the great information!

  2. Dan says:

    @ Steve:

    Glad you liked the article. One of the security plugins I suggested, WP-MalWatch, can scan your wp-uploads folder automatically. Adding an .htaccess file with file type limitations might also help. See each plugin’s site for more details on the implementation of this…


    Update 0Nov2014: WP-Malwatch is outdated and I’ve replaced it with Bulletproof Security.

Cartier Consulting
%d bloggers like this: