wordpress-securityWordPress is one of the most universal content management systems in the world. Even better, it is open source! However, being an open source piece of software, it can be susceptible to malicious individuals burrowing through code and finding vulnerabilities in the code, which they try to exploit. As such, WordPress sites have been prone to security breaches and being hacked. Having your WordPress site hacked can be harmful to your reputation and your business.

Stay Updated

WordPress itself constantly pesters you about new updates that are available for WordPress. Do not ignore these! It’s vital that you stay up to date on your WordPress installs, themes, and plugins to safeguard against any existing vulnerabilities that have been patched up.

WordPress will display the update notifications as soon as you login. They will let you know if your WordPress “version”, “themes” and/or “plugins” need to be updated.

Remove Old or Inactive Themes and Plugins

WordPress themes and plugins that are installed on your WordPress website, that are presently inactive, or older versions are security risks. They may not be the most up to date versions, and have security weaknesses that malicious attackers can take advantage of.

Your best bet is to eliminate any themes and plugins that you are not currently using and stick with what you need.

Disable the Theme / Plugin Editor

Intruders who are able to crack your admin login and password are able to access your theme or plugin files and inject their own malicious code. For example, they can replace a template file into a PHP uploader and upload more files or change file permissions without you even knowing about it.

Disabling the built-in Theme and Plugin text editor inside of WordPress prevents these intruders from modifying your Theme or Plugin code in any way.

In the directory that you’ve installed WordPress into, you will see a file called wp-config.php, You will need to add the following code into that file:

/* disable theme editor and plugin editor */

define( ‘DISALLOW_FILE_EDIT’, true );

define( ‘DISALLOW_FILE_MODS’, true );

Once disabled, editing files inside of the WordPress admin panel should no longer be permitted.

Protect Your .htaccess File

Your .htaccess file acts like the gatekeeper for your website content. It allows you to control file permissions (meaning you can determine who has access to specific files or file types). It’s a hidden file that’s located in the root directory of your website, and you’ll need to “show hidden files” in order to be able to access it.

Once you are able to edit it, add this to the file:

# protect .htaccess file

<Files ~ “^.*\.(


order allow,deny

deny from all

satisfy all


This will ensure that no one from the outside world can access your .htaccess file, guarding yourself from intruders who try to change file permissions on your website.

Disable Directory Listing

While you’re inside of .htaccess, you might as well incapacitate the ability to get directory listings from your WordPress install.

Directory listings are used to see the contents of folders, and are often used to look at websites as a whole. However, being able to see them is not good, as it usually means it’s wide-open to the public. This means that people can search for vulnerable files and exploit security holes.

While editing the  root .htaccess (the one for your entire website install) of your website, you need to add this:

Options -Indexes

This will limit the ability for anyone and everyone from being able to list the contents of your website, making it that much harder to find vulnerable files.

Protect the ‘wp-config.php’ File

Your wp-config.php file contains a lot of info that can be very delicate, should someone ever gain access to it. Things like your database username and password, which is basically the lifeline to your WordPress website.

The WordPress website database can be sheltered by ensuring the wp-config.php file is locked down and secured. Add this to your .htaccess file:

# protect wp-config.php

<files wp-config.php>

order allow,deny

deny from all


As with everything else, this code stops outside, public access for wp-config.php, ensuring that this very sensitive data is fairly secure.

Prevent ‘wp-login.php’ From Being Accessed by Unknown IPs

The file, wp-login.php, is the gatekeeper to your WordPress admin panel. By default, you can access this page from anywhere and everywhere, which is useful, but also a giant security risk.

Using .htaccess, a list of IPs can be created that are allowed access (commonly referred to as a ‘whitelist’) to thwart non-known IPs from attempting password guesses.

Inside the root folder’s .htaccess, add this code:

<files wp-login.php>

order deny,allow

deny from all


# static IP

allow from xxx.xxx.xxx.xxx


# dynamic IP

allow from xxx.xxx.xxx.0/8

allow from xxx.xxx.0.0/8


Fill in your actual IPs in place of the x-placeholders. If you know your actual IP, stick with static (just be sure to update it, should it change) or use dynamic if you need to allow a range of IPs. Just type “myip” in Google to find your IP address

Prevent ‘wp-admin’ From Being Accessed by Unknown IPs

The security levels of ‘wp-login.php’ through an IP whitelist can be doubled by creating the same whitelist for the wp-admin folder inside of the WordPress directory. Add this code to your .htaccess file to inhibit non-known IPs from accessing your wp-admin folder:


order deny,allow

deny from all


# static IP

allow from xxx.xxx.xxx.xxx


# dynamic IP

allow from xxx.xxx.xxx.0/8

allow from xxx.xxx.0.0/8



Deny Executable Files Like .exe Extension

Executable files are trouble – they will frequently contain malicious code that can install worms and virus on a user’s computer. These can be blocked, of course, by using .htaccess!

Add this to your .htaccess file:

# deny all .exe files

<files “*.exe”>

order deny,allow

deny from all


This, like the other code, prevents any and all .exe files from being accessed on the server.

Add a Firewall

Much like the .htaccess whitelist, allowing only known IPs access to wp-login.php. A firewall will only allow known IP addresses to access your FTP server. This is something that you will have to ask your website hosting provider to set up.

Additional Plugin Recommendations


Website security is normally the last thing on the minds of website owners. However, WordPress site owners should be diligent with website security in order to keep their WordPress sites safe and secure. The above list is a solid start.