Secure Your WordPress Blog

Security is like a part of our life. We need to secure ours from the others. In real life, we use keys to secure our house, car and many others from unwanted visitors or unwanted person, that maybe want to do something bad with our stuff. Same as your websites, in this case your blog. You also need to protect your blog from unwanted/bad visitors. You need to protect your information, data and any privacy you store on your website.

Follow these tips to secure your WordPress blog:
1. Use SSL Encryption to your website
With SSL encryption you can encrypt your data that being send. This will prevent someone that want to intercept your data like account credential by accessing the router. Your data will very hard to read and hard to decrypt. To have an SSL encryption you have to pay it. There are lot of SSL encryption service out there, and they can assist you how to install it. And for your WordPress blog, you can force your wordpress to always use SSL, add this line to your wp-config.php:

define('FORCE_SSL_ADMIN', true);

2. Do not show unnecessary information to your visitors
Sometimes if you have an error then WordPress will automatically show you the error message. You can turn it off by add this line to your themes function.php:

add_filter('login_errors',create_function('$a', "return null;"));

3. Protect you wp-config.php file
Wp-config.php file store the your database connection string. This need to be protected. Don’t allowed anyone see what is inside your wp-config.php. You can protect wp-config.php by using htaccess, add these lines to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all

4. Hide your WordPress version
For default installation, WordPress will show the wordpress version in your meta tags. This can be use by the attacker to know your wordpress version and find bugs to insert their malicious code into your blog. You can hide this WordPress version by add this into your themes function.php:

<?php remove_action('wp_head', 'wp_generator'); ?>

5. Blacklist spammer and bot!
I hate spammer! I beleive you do too. Now i’m using disquss comment system to handle my comment system. Before i got 100 spams everyday. This is annoying. Pay attention to your access_log, you can download it from the cpanel. See which ip that POST the comment frequently, and block that ip! To block the ip you can use .htaccess file, add this line:

<limit GET POST PUT>
order allow,deny
allow from all
deny from 123.456.789 #example ip

6. Use Disquss comment system to handle your comment system
Before i got 100 spams everyday, this made me sick. Now i’m using Disquss comment system. They can handle spams and your comment with their own bandwidth and resource. Open your account at disquss and install their wordpress module, and you are done! No more spammers! 🙂
7. Prevent Script Injection
Script injection is mostly used by the attacker to inject their unwanted script into your blog. Before someone attack yours with this technique, you can prevent it by edit your .htaccess, add these lines:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

8. Limit Your WP-Admin Access
Limit your WP-Admin access only from your ip and your co-authors ip. This can limit access to your wp-admin only for your ip. Please don’t do this step if you don’t have fixed ip or you travel a lot. Edit .htaccess to limit access to your wp-admin:

order deny, allow
allow from #change to your static ip
deny from all

9. Change The Default “Admin” Username
Before WordPress 3.0, the default use is admin, you cannot change it. But i suggest you to change it. You can change your username by using phpmyadmin. Open your phpmyadmin and run this query:

UPDATE wp_users SET user_login = '[Your New Username]' WHERE user_login = 'Admin';

10. Prevent directory browsing
As default config, apache will allowed directory browsing. Don’t allowed this. You can stop this by edit your .htaccess. Add these line to prevent directory browsing in apache:

Options -Indexes

11. Protect your blog from bad queries from url request
If you give you attention to your access_log, sometimes your will see something strange with your url request. That’s one technique of hacking action. Insert a bad url request to access your data in your website. This can be bad. You should take this serously. To prevent this action, i got a plugin to block bad url request. All credits goes to the respective owner:

Plugin Name: Block Bad Queries
Plugin URI:
Description: Protect WordPress Against Malicious URL Requests
Author URI:
Author: Perishable Press
Version: 1.0

global $user_ID;

if($user_ID) {
  if(!current_user_can('level_10')) {
    if (strlen($_SERVER['REQUEST_URI']) > 255 ||
      strpos($_SERVER['REQUEST_URI'], "eval(") ||
      strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
      strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
      strpos($_SERVER['REQUEST_URI'], "base64")) {
        @header("HTTP/1.1 414 Request-URI Too Long");
	@header("Status: 414 Request-URI Too Long");
	@header("Connection: Close");

Save the code into a php file for example block.php. And upload it into your wp-content/plugins folder. Then activate it from your WordPress Admin.


  1. Thanks for the list.
    I found it to be very helpful.

  2. Sams ftp says:

    Validating user input is crucial to keeping your setup tight and secure. To many third party plugins have holes in them these days.

  3. Constanta says:

    Thank for this helpful tips.
    Really great post.
    All The Best!

  4. blue scarf says:

    well done , thank you for your work

  5. I mean after "<?php"

  6. bettygo says:

    very good article,thanks

  7. Thank you for the "Prevent directory browsing" tip. I'm very happy now with the protected folders.

  8. Anonymous says:

    nice article!

    thanks for the heads up!

  9. Anonymous says:

    Awesome! I'm gonna do these things. Thank you.

  10. Anonymous says:

    Thanks. I did all the changes. Great! I am on WP 3+ w/ Network on Subdomains.

    But, these ones didn't work:

    This one break my multilevel navigation code.
    "<"?php remove_action('wp_header', 'wp_generator'); ?">"

    This one adds the line below exposed at the top of my admin screen
    add_filter('login_errors',create_function('$a', "return null;"));

    This one returns a 500 error (I changed my IP)
    order deny, allow
    allow from #change to your static ip
    deny from all

  11. texas says:

    Hi, thanks for the article!

    I have wordpress 3.1.2, and I couldn't get rid of the wordpress version banner via:

    <?php remove_action('wp_header', 'wp_generator'); ?>

    I changed this to

    <?php remove_action('wp_head', 'wp_generator'); ?>

    and it works now.

  12. texas says:

    Hi, thanks for the article!

    I have wordpress 3.1.2, and I couldn't get rid of the wordpress version banner via:

    < ?php remove_action('wp_header', 'wp_generator'); ? >

    I changed this to

    < ?php remove_action('wp_head', 'wp_generator'); ? >

    and it works now.

Give me your feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.