WordPress Security Tweaks


WordPress is a very capable feature-rich blogging platform and content management system. It’s free and open-source; developed by hundreds of generous developers around the world, but how secure is it?

Generally speaking, it’s pretty good, but as open-source code it’s up to you to make sure you’ve got it installed and setup correctly. The following 10 tweaks are the more common things to watch out for.

Tweak #1: Remove the WordPress version from your website

Displaying your WordPress version number in your website’s source code makes it easier for potential hackers to exploit your particular install. Your version number may be hardcoded into your theme, so check for that too, but also add these few lines of code to functions.php in your theme:

//Remove the WordPress version from displaying
add_filter( 'the_generator', 'no_generator' );
function no_generator() { return ''; }

Tweak #2: Turn off file editing capabilities for plugins and themes

If you’re not often editing your theme or plugins in WordPress Admin area, turn this feature off. Leaving it enabled makes it easier for potential hackers to make malicious changes to your code. Add the following line of code to wp-config.php:

//Turn off file editor for plugins and themes in wordpress admin
define('DISALLOW_FILE_EDIT', true);

Tweak #3: Remove unecessary error messages on failed logins

WordPress (trying to be helpful) displays error messages on unsuccessful logins, mentioning that a username and/or password was incorrectly entered. This feedback makes it easier for hackers to start brute force attacks to get your password once they work out the login. Add these few lines of code to functions.php:

//Remove unnecessary error messages on failed logins
add_filter( 'login_errors', 'explain_less_login_issues' );
function explain_less_login_issues() {
   return '<strong>ERROR</strong>: Entered credentials are incorrect.';

Tweak #4: Remove unnecessary files

There are two files found in your WordPress install that are really not required, these being readme.html and install.php.

The readme.html file contains the version of WordPress you are running, which can help a hacker exploit your install of WordPress. This file is unnecessary and can be deleted, it’s located in the foot folder of your blog. (Be aware though, this file will reappear with the next upgrade of WordPress).

The installation script install.php is used when you first install WordPress. It builds database tables and sets up your preferences. You can delete this, it’s located in the /wp-admin directory.

Tweak #5: File and Folder permissions

The following permission settings are recommended by WordPress, as found in the WordPress Codex:

  • wp-config.php should be 400 or 440 to lock it from other users
  • .htaccess rights should be set to 644 or 664 (if you want WordPress to be able to edit .htaccess for you)
  • /wp-content/ should be writeable for all (777), according to WordPress Codex. But it’s probably better to set it 755 and change to 777 (temporary) if some plugins asks you to do that.
  • /wp-content/themes/ should have rights 755
  • /wp-content/plugins/ should have rights 755
  • /wp-admin/ should have rights 755
  • /wp-includes/ should have rights 755

Tweak #6: Secure wp-config.php

As mentioned in the WordPress Codex, you can move the wp-config.php file to the directory above your WordPress install. Additionally if you use a server with .htaccess, you can put the following lines of code in that file (at the very top) to deny access to anyone surfing for it:

<files wp-config.php>
order allow,deny
deny from all

Tweak #7: Ensure WP_DEBUG is turned off

This global variable should be turned off on your live website. Occasionly developers use this option when debugging and can forget to turn it off again when they’ve finished. You don’t want debugging information displaying on your website as it makes it easier for potential hackers to gain access. You can turn if off by ensuring that the global variable WP_DEBUG in wp-config.php is set to false.

define('WP_DEBUG', false);

Tweak #8: Don’t use the username ‘Admin’

Using Admin as a WordPress username is not safe, it’s way too predictable; making it easy to crack. You can execute the following SQL command in your MySQL interface client (such as phpMyAdmin) to change your username.

update tableprefix_users set user_login='newuser' where user_login='admin';

Tweak #9: Dont use ‘wp_’ as your SQL table prefix

By default the WordPress super easy installer will set the table prefix to wp_, and if you don’t notice it when you install you’ll end up with very predictable table names. Make it harder for hackers and change this prefix to something unique and less obvious. Use your MySQL interface client (such as phpMyAdmin) to change all table prefixes from wp_ to something different, and set the table prefix in your wp-config.php.

$table_prefix  = 'tableprefix_';

Tweak #10: Keep WordPress updated

You should keep your install of WordPress up-to-date to keep it secure. The developers of WordPress are constantly adding bug fixes and addressing vulnerabilities (plus adding fancy new features) with each new release. If you’re comfortable doing this kind of stuff yourself, by all means go for it, but there are plenty of experienced developers out there that can help you if not.

Detailed instructions can be found on the WordPress Codex.


Disclaimer: The above list is intended as a basic guide; some of the more common things to look out for. If you’re uncertain about anything mentioned here or not confident tinkering with your WordPress install please enlist the help of an experienced website developer.


11 response to WordPress Security Tweaks

Add a comment

Your email address will not be published.