Security Tips

1. Nobody should be allowed to search your entire server.

  • WPdesigner advices us to NOT use this search code in the search.php
    <?php echo $_SERVER ['PHP_SELF']; ?>
    Nobody should be allowed to search your entire server, or? Use this one instead:
    <?php bloginfo ('home'); ?>
  • Block WP- folders from being indexed by search engines, the best way to block them in your robots.txt file. Add the following line to your list:
    Disallow: /wp-*

2. Directories should not be left open for public browsing

There is a potential problem letting people know what plugins you have, or what versions they are. If there is some known exploit that is linked to a plugin, it could be easy enough for someone to use it to their advantage. Make an empty wp-content/plugins/index.html file or just add this line in your .htaccess file in your root:
Options All -Indexes

3. Drop the version string in your Meta Tags

A large number of WordPress themes have the WordPress Meta Tag that show the version of WordPress that is running on your blog which is an easy way to get your blog prone to hackers if you didn’t upgrade to the security-enhanced file permissions on both which is pointed out by Matt Cutts. Another solution involves a plugin that sets up a secondary new version.

This tag is in the header.php file that displays your current version of wordpress.

<meta content="WordPress &lt;?php bloginfo(’version’); ? /&gt;" name="generator" />

4. Stay Updated

You need to keep your on your plugin/widget, theme, and WordPress versions updated. Also, subscribing to the plugin/widget/theme Author’s RSS feeds makes keeping up with them much easier.

5. Take regular backups of your site and Database

You always have to take regular backups of your file directories as well as the database. WordPress Database Backup plugin creates backups of your core WordPress tables as well as other tables of your choice in the same database.

6. Use SSH/Shell Access instead of FTP

If someone gets a hold of your FTP login information (which is usually not encrypted and easy to get), they can manipulate your files and add spam to your site without you even knowing about it! Using SSH, everything is encrypted including the transfer of files, etc.

7. Stop worrying about your wp-config.php file

Keep your database username and password Safe by adding the following to the .htaccess file at the top level of your WordPress install:

<FilesMatch ^wp-config.php$>deny from all</FilesMatch>

This will make it harder for your database username and password to fall into the wrong hands in the event of a server problem.

8. Block WP- folders from the Search Engines

There is no need to have all of your filesWordpress files indexed by Google, so it’s best to block them in your robots.txt file. Add the following line to your list

Disallow: /wp-*

9. Block access to WP-Admin folder using .htaccess

There is an article written Reuben that talks about how you can protect your WordPress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a Forbidden error message. So if you only access your blog from one or two places routinely, it’s worth implementing. Also, you’re supposed to create a new .htaccess file inside your wp-admin folder, not replace the one at the root of your blog

10. Don’t Use Default Passwords

Are you still logging into your wp-admin page with the same default password that was emailed to you? If so, CHANGE IT! You can follow the instructions given in the article “Hack Proof Password” posted by us earlier to imrove the strength of your password.

11. Change database table prefix

The default prefix used by WordPress is “wp”. You can easily change the prefix to other terms that are difficult to guess using the WP-Security-Scan. More detail on this plugin below.

12. Don’t use (or better yet, remove) the default “admin” username

When you install WordPress, it automatically generates a user with Administrator-level permissions called admin. It is strongly recommended that you do not use this username to make it harder for the hacker to guess your username and password via Brute force attacks. Even if you downgrade its permission role, it’s still a better idea just to remove this user altogether.

You can use the Change Username Plugin to change the Username of Admin Account.

Security Plugins

13. Secure WordPress

Plugin HomePage

It will help secure WordPress installation by removing miscellaneous items after the installation process which may aid hackers. It will remove error information from the login-page and also remove or change the WP-version data but leave it unchanged in the admin area. It is suggested to remove any unwanted information to the non-admin for security reasons so it will remove update information about plugins, themes and core update information. Secure WordPress will add a blank index.html to the plug-in directory such that if anyone is trying to view the contents of the directory they will be viewing a blank page instead of the contents.

14. Force SSL

Plugin HomePage

Having a secure SSL connection to communicate with your users is beneficial. To enable this, your site must be SSL enabled first. To implement this, you need to buy the SSL certificate. By installing this plug-in it will force your user browser to connect to your site via a SSL connection. This eliminates any third party attacks between the connection and all the data that is transmitted to and from the site will be encrypted for better security.

15. Chap Secure Login

Plugin HomePage

If you are not having a secure connection like SSL to protect your password , then you can use this plug-in for encrypting passwords. It will use the Chap protocol to hide the passwords and transmit it encrypted. The only information that is transmitted unencrypted is your username. Protecting password will give full security because password leaks will enable the hacker the gain full control of your WordPress blog.

16. HTTP Authentication

Plugin HomePage

The HTTP Authentication plugin allows you to use existing means of authenticating users for WordPress. This includes Apache’s basic HTTP authentication module and many others.

17. Anonymous WordPress Plugin

Plugin HomePage

All the WordPress versions 2.3 and above have the feature to get automatic updates for plugins. During this process it will send some of your information like your blog’s URL, version number, list of installed plugins and activated plugins to WordPress.org. This information could be of potential use for hackers. So to avoid this, installing Anonymous WordPress plug-in is a feasible option. It will strip off your blog’s URL and version number and empty the activated plugins list. This plug-in is compatible with WordPress 2.3 and above.

18. Login Encrypt

Plugin HomePage

This will help encrypt the login information using the complex DES and RSA combination. It uses the JavaScript appended and encrypted the password of the user and generates a unique DES key. And by using this key, user can have secure login each time they login to your blog.

19. Admin SSL

Plugin HomePage

This plug-in will work with both the private and shared SSL connections and it will force a SSL connection in every page where password can or has to be entered. It is very helpful to protect the admin area, posts and all the pages of your WordPress installation and secure the login page. This plug-in works on WordPress 2.2 to 2.7.

20. AskApache Password Protect

Plugin HomePage

It will block the bots and creates a safe wall for any vulnerability your WordPress blog may have. It will protect your password as well as your WordPress directories like the wp-includes, wp-content, etc. It is like placing your WordPress blog behind a security wall.

21. TAC (Theme Authenticity Checker)

Plugin HomePage

TAC stands for Theme Authenticity Checker. Currently, TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code. As of v1.3 TAC also searches for and displays static links.

22. Invisible Defender

Plugin HomePage

This plugin protects registration, login and comment forms from spambots by adding two extra fields hidden by CSS. This approach gave me 100% anti-spam protection on one of my sites.

23. Semisecure Login Reimagined

Plugin HomePage

Semisecure Login Reimagined increases the security of the login process using an RSA public-key to encrypt the password on the client-side when a user logs in. The server side then decrypts the encrypted password with the private key. JavaScript is required to enable encryption. It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.

24. Stealth Login

Plugin HomePage

This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. Instead of advertising your login url on your homepage, you can create a url of your choice that can be easier to remember than wp-login.php, for example you could set your login url to http://www.myblog.com/login for an easy way to login to your website.

25. WordPress File Monitor

Plugin HomePage

Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.

26. WordPress Firewall Plugin

Plugin HomePage

This WordPress plugin investigates web requests with simple WordPress-specific heuristics to identify and stop most obvious attacks. There exist a few powerful generic modules that do this; but they’re not always installed on web servers, and difficult to configure.

It intelligently whitelists and blacklists pathological-looking phrases based on which field they appear within in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.)

27. WordPress Guard Plugin

Plugin HomePage

Angsuman’s WordPress Guard Plugin is a must-have WordPress security plugin that protects the vulnerable areas of your blog from outside access with an additional layer of security.

28. WP-Dephorm

Plugin HomePage

wp-dephorm protects your users from the prying eyes of phorm. This is achieved by setting a cookie to opt out of the phorm information mining. Your blog viewers will not have their information stored and used in marketing campaigns whilst viewing your site.

29. WP Security Scan

Plugin HomePage

Scans your WordPress installation for security vulnerabilities and suggests corrective actions.
-file permissions
-database security
-version hiding
-WordPress admin protection/security
-removes WP Generator META tag from core code

30. AntiVirus

Plugin HomePage

AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections. AntiVirus protection for your blog.

31. WordPress Exploit Scanner

Plugin HomePage

This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.

It does not remove anything. That is left to the user to do.

32. Paranoid911

Plugin HomePage

Paranoid911 checks your wordpress installation for changes and sends you an email when changes occur.

AntiSpam Plugins

33. Defensio Anti-Spam

Plugin HomePage

Defensio is an advanced spam filtering web service that learns and adapts to your behaviors and those of your readers. Defensio aims to be an all-in-one anti-spam solution. Therefore, using it along with other anti-spam plugins WILL cause problems. PLEASE deactivate Akismet and other similar plugins before activating Defensio.

34. Simple Trackback Validation

Plugin HomePage

Simple Trackback Validation Plugin performs a simple but very effective test on all incoming trackbacks in order to stop trackback spam.

35. NoSpamNX

Plugin HomePage

NoSpamNX is the successor of Yawasp (Yet Another WordPress antispam plugin) and is a plugin to protect against automated comment spam (spambots). While Yawasp changed the names of the form fields in the comment template, NoSpamNX works without these modifications, but is equally effective. By eliminating the need for modifications within the form field maximum compatibility with other WordPress plugins or browsers is ensured.
When calling the comment form NoSpamNX adds extra fields (hidden before the “normal” user) automatically to your comment template. When a comment is saved, these fields are checked. For additional protection, the order and the values of these fields change periodically, so that no spambot can adapt to a specific blog adapt.

36. SI CAPTCHA Anti-Spam

Plugin HomePage

SI CAPTCHA adds CAPTCHA anti-spam methods to WordPress on the comment form, registration form, or both. In order to post comments, users will have to type in the phrase shown on the image. This prevents spam from automated bots. It works great with Akismet.

37. AntiSpam Bee

Plugin HomePage

AntispamBee protects blogs from digital rubbish. It is made up of sophisticated techniques and analyzes comments including pings. Also, for reasons of data privacy, the use of AntispamBee is a safe solution, as it is anonymous and registration-free.

38. Akismet

Plugin HomePage

Akismet is quite possibly the most important and useful plugin you will ever install. It has been developed by the actual team behind WordPress, if that is not enough of a seal of of approval and a guarantee, I don’t know what is.

In a nutshell, Akismet checks your comments against the Akismet web service to see if they look like spam or not and lets you review the spam it catches under your blog’s “Comments” admin screen.


Plugin HomePage

The reCAPTCHA plugin is one you’ve probably seen around on sites such as Facebook, Twitter and StumbleUpon. It isn’t just your average CAPTCHA (an image containing some letters that are designed so only humans can read them), it uses words from old books, so every time you enter a reCAPTCHA, you’re helping digitise books. At this point, you’re probably thinking but if I’m telling it what the words mean, does that mean I can enter anything? How does that stop spammers? The answer is simple – there are two words, one of which the CAPTCHA knows. The second, it doesn’t and you’re helping digitise it.

Backup Plugins

40. WordPress EZ Backup

Plugin HomePage

WordPress EZ Backup is A Administrators Plugin to allow the easiest most feature rich method for creating Backup Archives of your entire Site (not just WP Installations but Any part of your site or webspace) & allows backup archives of any MySQL Database you choose & More

41. WordPress Database Backup

Plugin HomePage

WordPress database backup creates backups of your core WordPress tables as well as other tables of your choice in the same database.

42. WP-DBManager

Plugin HomePage

Allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. Supports automatic scheduling of backing up and optimizing of database.

43. BackUpWordPress

Plugin HomePage

BackUpWordPress is a Backup & Recovery Suite for your WordPress website. This Plugin allows you to backup database as well as files and comes with a rich set of options.



  1. 1

    Hey, I am checking this site from my Blackberry and it looks kinda funky. Thought you’d want to know. It’s a great post though, didn’t mess that up 🙂

  2. 2
    wezxyknml Says:


  3. 3
    tips Says:

    great tips ! Thanks !

  4. Nice Post, i like the article in your blog…
    i will visit this blog more often…
    Nice info in there…

    Keep Up the Good Work!


  5. 5
    fanta78 Says:

    Great tips and usefull information ! Your article is a good source to check and reinforce the security.

  6. 6

    Generally I do not post on blogs, but I would like to say that this post really forced me to do so, Excellent post!

  7. 7
    John965 Says:

    Very nice site! is it yours too

  8. 8
    John965 Says:

    Very nice site!

  9. 9

    Defenseconso a le plaisir de vous présenter l’agence matrimoniale russian lady. Des rencontres de qualité à des prix inférieurs à 3000 euros.


    N’hésitez pas à nous contacter !

    Jean-Claude AMBRIEU

    01 39 18 12 50 – 06 50 77 38 46

  10. 10

    We are a group of volunteers and opening a new scheme in our community. Your website offered us with valuable info to work on. You’ve done a formidable job and our whole community will be thankful to you.

  11. 11
    This page Says:

    I used to write a ledger on this topic. I need to find it. Great Post!! gs777-villivonka

  12. 12
    Isabelle Says:

    This paragraph provides clear idea in favor of the new viewers of blogging, that actually how to do running a

  13. Being watches breitlingable became related to the same target customer and often using the term” real women”, an expression so offensive it undermines its intended

  14. 14

    super acest lucru este minunat am gasit ceva la fel aici la WZY.
    RO 🙂 imi place

RSS Feed for this entry

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: