WordPress out of the box is fairly secure but there are still some pretty big holes.  In addition, hosting environments and installation requirements often introduce gaping security holes in the WordPress framework. Below are a few best practices to help secure your WordPress framework.

Install Security Plugins

There are several good security plugins available.  Here are three that every WordPress installation should have installed and activated.

  1. Install wp-security scan and scan
  2. Install Login Lockout plugin
  3. Install WordPress Firewall 2

Changing security on WordPress directories

Some installations come with directories set to 777 out of the box.  Change security settings as follows (either chmod from the unix shell or use a FTP program such as FileZilla to set permissions and recurse permissions into subdirectories and files).

  1. Change your main WordPress home directory to 755
  2. Change .htaccess to 644 (all instances of .htaccess should be changed)
  3. Change wp-admin/index.php to 644
  4. Change permissions on wp-config.php to 644

Some WordPress plugins require the /wp-content/ folder be made writeable which may require setting 755 permissions on the plugin directory. The same is true for /wp-content/cache/ and maybe /wp-content/uploads/.

All directories should be 755 or 750 if possible.  All files should be 644 or 640 with the exception of wp-config.php which should be 600 to prevent other users on the server from reading it.


Security account changes

Lock down or delete the default admin account.  Create an account user and set their role to administrator.  Then select the admin user and change their role to subscriber (or delete it altogether).

Modify .htaccess to secure it

All instances of .htaccess should be modified to include the following lines.  Note that rewritecond below has a domain hardcoded in it.  You should change “yourdomainname” to the domain the .htaccess file is running under.

# DENY PUBLIC ACCESS TO YOUR wp-config.php File<files wp-config.php>

order allow,deny

deny from all



<Files php.ini>

order allow,deny

deny from all



<Files php5.ini>

order allow,deny

deny from all


#Disable ability for outside domains to link to our images. Add this to .htaccess

#Only allow images to be linked from this website.  Change the image name below (with a message that says “you can’t link to my images” or leave as a non-existent image file.

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yourdomainname\.com/ [NC]

RewriteCond %{HTTP_REFERER} !^$

RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

Add salts to wp-config.php

I believe this happens automatically during an upgrade but regardless, these should exist in your wp-config.php file.  Go to https://api.wordpress.org/secret-key/1.1/salt/ and it will generate unique keys that you paste into the wp-config.php file. You can regenerate these at any time and replace. The worst that can happen is users have to log back in again.

Cut and paste the lines generated and paste into your wp-config.php file.  If the salts already exist then simply paste over them and save the file.

Rename files that are no longer needed

No point in holding onto files that are no longer needed or could be destructive if they were run.

  1. Rename /wp-admin/install.php to install.php_backup
  2. Rename wp-config-sample.php to wp-config-sample.php_BACKUP
Print Friendly, PDF & Email

Leave a Reply