Matt Forney
Spread the Word!

Securing Your WordPress Blog Against Hackers

As I’ve written in my book Confessions of an Online Hustler, the best way to protect yourself from hackers, stalkers and other freaks online is to not be an idiot. Don’t provoke people needlessly, don’t be excessively belligerent, and don’t do anything to them that you wouldn’t want done to you. Not being a dumbass will save you in 95 percent of cases.

This is for the remaining five percent.

A year ago, when I wrote an article poking fun at Portland’s horrific dating scene and cliquish culture, some white knight got hacked off enough to try and hack my site. He didn’t succeed, of course, but the script kiddie managed to wreak enough havoc to knock my site offline for a few hours. He was using a brute force program (a hacking program that uses a dictionary to guess computer passwords) to try and gain access to my site. While I had a plugin to block access to anyone who entered a wrong password more than four times in a row, the guy was assaulting me from so many different IP addresses that my server couldn’t handle the load.

Then this happened.

I was sick of playing phone tag with script kiddies, so I revamped my site’s security protocols by installing Better WP Security. It has every option you need to secure your site against hackers. The only problem is that the number of options it throws at you is a bit dizzying, so here’s my advice for configuring the plugin:

  1. Enforce strong passwords for all users. To create a strong password, use a random password generator. The ideal password has at least six characters and is a random assortment of letters (upper and lowercase), numbers and symbols.
  2. Turn on all Header Tweaks. Note that selecting the option “EditURI Header” may cause compatibility issues with some plugins.
  3. Disable update warnings for non-administrative users.
  4. Remove the “admin” user. If I recall correctly, newer installations of WordPress do this anyway.
  5. Remove the user with “id 1.”
  6. Change your mySQL table prefix to something random.
  7. Schedule a weekly backup of your mySQL database. Also make sure to have this backup sent to your email address so you can restore the site in the event of an emergency.
  8. Use’s blacklist to block bad agents and hosts.
  9. Enable lockouts on your login page to protect against brute force attacks.
  10. Secure your .htaccess file from public access. Note that you shouldn’t remove write permissions from .htaccess (or wp-config.php), as doing so can mess your site up.
  11. Block users who are trying to scan your site for vulnerabilities.
  12. Block long URLs.
  13. Disable the theme and plugin editors from the WordPress backend. Note that this feature isn’t compatible with custom, paid themes (such as the ones from DIYThemes or Elegant Themes).
  14. Allow Better WP Security to write to wp-config.php and .htaccess. I think this is turned on by default, but it never hurts to double-check.
  15. Hide version information from non-admin users.

The other options can be tinkered with at your discretion:

  • I’m somewhat conflicted on Away Mode, which shuts down the admin panel for a select period each day. I use it during the overnight hours when I’m asleep to both protect the site and motivate me to finish my work instead of staying up late farting around on the computer. If you’re running a group blog with contributors in different time zones, however, this feature won’t work for you.
  • Hiding the admin panel doesn’t seem to work with my existing servers, and will also require you to update all your bookmarks if you do enable it.
  • File Change Detection has the potential to really fuck your site up if your servers can’t handle it. The first time I switched it on, my site instantly got smacked with a 500 error, forcing me to manually remove Better WP Security via FTP to get everything working again. 404 Detection is safe to turn on, but make sure you add your site’s IP address(es) to the whitelist, otherwise you’ll get 403 errors.
  • Do not rename the wp-content directory unless you’re starting a new blog from scratch. Otherwise, all existing links on your site will be broken.
  • Requiring a secure connections for logins and the admin panel requires your server to be able to support SSL, otherwise it won’t work.

If you’re looking to put your shit on lockdown and prevent script kiddies from making a mess of your site, you need to install Better WP Security. While it’s not bulletproof—no security solution is—it’s the best you can get.

Read Next: Are Your Plugins Screwing with Your WordPress Installation?

  • Drifter

    If you have shell access to your server, the best way would be to block access to the admin section of wordpress on your server by IP address. This is a little challenging if you access it from a dynamic IP address, but you can add a range of IP addresses your ISP uses. Over time, this has proven to be the most effective solution for me. Something like this would work, substituted with your own IP ranges of course:

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REMOTE_ADDR} !^12\.123\.123\.1[0-9]$
    RewriteCond %{REMOTE_ADDR} !^12\.123\.123\.2[0-9]$
    RewriteCond %{REMOTE_ADDR} !^12\.123\.123\.3[0-9]$
    RewriteCond %{REQUEST_URI} wp-admin/
    RewriteRule ^(.*)$ index.php [R,L]

    This also has the added benefit of reducing the load on your server, as WP-security et all don’t have to be loaded and process every request, it is discarded swiftly by the web server itself.

    Love your blog, keep up the good work. Cheers!

  • Pingback: February's Best Web Design, CMS, and Security Content | WiredTree Blog()

  • Hey Matt,
    Thanks for the nice post. WordPress security continues to be an issue, and I thought my readers would find value in your post. As such, I wanted to let you know that I included your post in my roundup of February’s best web design/development, CMS, and security content. Thanks again for the helpful post.