How to Beef Up Your WordPress Security

How can you increase your WordPress security. WordPress is a popular blog platform that has, in recent months, transformed into a great content management system.

As with any good CMS, WordPress has some security features built into its core. However, the default installation is still vulnerable to certain attacks. Fortunately, there are several easy steps you can take to harden WordPress against these attacks.


Common WordPress Attacks

Here is a listing of the most common types of WordPress attacks:

  • Brute-force login attempts – This is an attack where a bot or script continuously tries to login to your WordPress Dashboard as the admin in order to gain Administrator access to your blog.
  • SQL injection attacks – Attacks like these use input boxes on your site (login forms, comment forms, etc) to try to inject malicious SQL code into your WordPress database.
  • Spam comments – Many bots simply come to your website and post spam comments to build backlinks to their owners’ spam sites. Most of these comments are obviously spam, but some can be surprisingly legit-looking. Usually, though, you can tell spam comments apart from others by their very general nature and suspicious-looking username, even if the spelling is good.
  • Attacks against old versions of WordPress – As WordPress is open-source, its code is available for anyone to view. One downside of this is that hackers can easily exploit bugs in the code. The result of this situation is that old versions of WordPress are constantly under attack by scripts design to exploit bugs or flaws.
  • Attacks against vulnerabilities in plugins – Even if your WordPress installation is up to date, plugins can be a security issue as well. Many WordPress attacks are crafted specifically to exploit bugs or known vulnerabilities in plugins, so having a lot of plugins can potentially open up your site.

Fortunately, protecting WordPress against these attacks isn’t terribly difficult. Here is a listing of things you should do:

Keep WordPress and related files updated

Keep your WordPress installations updated to the latest version. As of right now (3/1/2011), the latest version is 3.1. 3.2 is set to release sometime this year. Make sure to update plugins as well. As noted above, out-of-date plugins can pose security risks.

If you have a bunch of plugins that are deactivated or unused, it’s best to delete them. Each plugin you have can pose a security risk if there is a flaw in it. If you have a plugin you plan on using later, store it outside of your WordPress installation until you need it.

Create security through obscurity

This security concept is based around the fact that most automated attacks will target default WordPress parameters. Therefore, make sure your installation doesn’t have these default parameters. Delete the user ‘admin’. Brute force attacks will almost ALWAYS try to login with this username.

  • If you’re just setting up your WordPress installation, you should be able to change this name from the get-go when going through the configuration process.
  • If you already have an established installation, you can simply change the admin username via the command line. Find your installation’s database and enter the following SQL statement:
// Note that you should replace 'prefix' with your table prefix and 'newusername' with your desired admin username.
update table prefix_users set user_login='newusername' where user_login='admin';

Do not use the “wp_” table prefix for the tables in your MySQL database.

  • The database linked to your WordPress installation has a number of tables that drive the installation’s functions. For continuity’s sake, all the tables have the same prefix; some examples under the default prefix are wp_posts and wp_comments.
  • You should change the prefix to something other than “wp_” when first installing WordPress. Almost all SQL injection scripts out there will attempt to access tables with this prefix, so you’re unfathomably more well-protected by doing this.
  • Access your associated MySQL database (always good to make a backup first), and start renaming all the tables. If you haven’t installed WordPress yet and are on first time setup, you can skip this step. Example:
Rename table wp_comments to wangchung_comments;
  • You’ll also need to change the table prefix in wp-config.php, as shown here:
 * WordPress Database Table prefix.
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
  = 'wangchung_';

You may notice that doing this locks you out of you Administrator account. No worries! There’s just a couple more commands to issue at the MySQL command prompt:

UPDATE newPrefix_options SET option_name = REPLACE (option_name, ‘oldPrefix_’, ‘newPrefix_’);
UPDATE newPreifix_usermeta SET meta_key = REPLACE(meta_key, ‘oldPrefix_’, ‘newPrefix_’);

Blocking access to unneeded information

WordPress can give away too much information. Here’s a couple ways to prevent it from doing that: Prevent WordPress from giving specific error messages upon unsuccessful login attempts.

  • WordPress, by default, will tell you when you’ve entered a wrong username or password. If someone is trying to guess these things, these error messages can sure help them narrow down their choices! It’s best to make WordPress throw a generic error instead. Open up the functions.php file, which is in wp-content/themes/yourtheme and add this line to it (somewhere outside of a function):
// code to hide feedback upon unsuccessful logins
add_filter('login_errors',create_function('', "return 'Please try again.';"));

Move wp-config.php up one directory

Moving this file out of your public folder makes it less accessible. WordPress is built to check for this file one directory up if it can’t find it in the default location.

Prevent malicious modification of the GlOBALS and $_REQUEST variables

Many attacks will attempt to inject malicious scripts into your database. Prevent this by adding the following code to your .htaccess file:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Back up, back up, back up

Regularly back up both your WordPress files and your database. The more you post content to your site, the more you should back up. This is not only to protect you from the bad guys, but also from yourself when you try new things

  • You can use an FTP program such as FileZilla to back up your files to your local computer.
  • Refer to the plugin list below for a great plugin that will help you regularly back up your database.

Essential security plugins

  • Akismet – Comes pre-installed with WordPress, although you’ll need to apply for an API key to use it. You can do this through Akismet’s options panel in the Dashboard.
  • AntiVirus – keeps your blog protected from spam and malicious scripts.
  • Capability Manager – Allows you to fine-tune the capabilities of each user role. For example, you could give Contributors the ability to publish posts.
  • IP Ban – Allows you to ban IPs from seeing your site. This can be useful, but I don’t recommend simply banning every IP that tries to log in as admin. Most of these are spoofed, and DHCP will make them change anyway.
  • Limit Login Attempts – limits the amount of times an IP can try to log in before locking it out for a specified amount of time. You can also configure it to lock out that IP for a much, much longer time upon a certain number of lockouts.
  • SI CAPTCHA Anti-Spam – places a CAPTCHA on your login page. This, coupled with Limit Login Attempts, should keep out brute force bots forever.
  • WP-DBManager – part of good security is having backups, and this plugin does backups really well. It’ll back up your database upon schedule intervals, and you can even set it to email you the resulting .sql file.
  • WP Security Scan – scans your WordPress installation for vulnerabilities and alerts you to them. It can, in some cases, even fix them. I DO NOT recommend using this plugin to change your table prefix, however. That’s something you should do manually.

You can never be too careful these days when it comes to security. Luckily, these precautions will keep all but the most determined hackers out of your site. Happy blogging!

Guest author Thomas Frank is the founder of, a college success blog with a heavy focus on technology. He is a sophomore at Iowa State University studying management information systems and speech communication. Connect with him on Twitter. Licensed image courtesy of Flickr user Max Klingensmith.


  1. Dave Clements says:

    This is an excellent summary of essential security measures for WordPress to protect against all kinds of attacks. I’ve worked with WordPress for quite some time and I have to say that you’ve really covered all bases from a security standpoint. Excellent article.

    • Thomas Frank says:

      Thanks, Dave! I’ve been put in charge of all things WordPress at my job, so I’ve really been digging into its security features lately.

  2. XploringMinds says:

    Very useful tips.

  3. Swamykant says:

    Excellent post. I will surely implement some of the code.

  4. LiAqAt says:

    awesome post Frank!
    thanks for the tips

  5. Madhav Tripathi says:

    These days I am security conscious and using some methods discussed in this post but this post has advance security tips and if one applies this it will be tough for intruders.

  6. iDCx says:

    fabulous post man! Even bookmarked it its that good!

    Cheers for posting this – i run wordpress sites all over the web – love the CMS, but indeed a few have been hacked in my time – malware was a big one at one point – so really interested in this article!

    Thanks Thomas! great work

  7. Mr Grumpy Chops says:

    What a great page of useful tips, my question relates to the database tables. Will wordpress have a problem with any of your tips when you update.


    • Thomas Frank says:

      I always keep my WordPress installations up to date, and I’ve never had a problem with any of these. However, certain themes don’t play nice with “Blocking access to unneeded information”, such as some of the Elegant Themes.

  8. Trung Nguyen says:

    I’ll add AntiVirus plugin, thanks for share :)

  9. The Tech Mag says:

    We all know that the concept of blogging is very famous. For that purpose, WordPress is on top of selection. I already faced few issues due to the reason “Spam Comments” and “bad plugins”. I can also work on the suggestion you mentioned like “Move wp-config.php up one directory”.

  10. Bel Air Garage Door Repair says:

    There are so multiple comments here that are really attractive and conducive to me thanks for sharing a link especially for sharing this blog. I was guessing if You Could write a little more on this subject? I’d be very gratified if You Could elaborate a little bit more.

  11. Gamemunition says:

    If you ask me, i never paid intention in these things. Really these are matter of few hours. If you give this time looking into these points, it can save you in future. I realized that when i got attacked on my blog. This is a hard way of learning.

Leave a Reply

Your email address will not be published. Required fields are marked *